Forum Discussion
Lead
Nimbostratus
Nimbostratusirule creation based on Host Address contains IP Address
help in creating irule for disabling ASM policy when traffic from certain Source IP address and violation triggered as Host header contains IP address
Hi Lead ,
Do you want to allow users to access your web service directly from ip without DNS resolution or what ??
Or
Do you want to disable ASM policy from inspecting certain source ip address ?
Could you please clarify more ?
CA_ValliMVP
Assuming that HTTP::host will always match VS IP:
when HTTP_REQUEST { if {[HTTP::host] eq [IP::local_addr] }{ ASM::disable } }
LeadHi,
Additionaly we want 1 more condition if request blocked under ASM violation (Host header contain IP address)
then only it gets allowed and for other violation it should gets blocked only.
Thanks,
Amit
- CA_Valli
Hello, I've been messing with lab a little and I've seen that this violation triggers "HTTP protocol compliance failed" violation with "HTTP parser attack" (I'm running v13.x)
So, according to https://clouddocs.f5.com/api/irules/ASM__violation_data.html we should be able to intercept this running the following:
when HTTP_REQUEST { set bypass 0 if {[IP::client_addr] eq "10.0.0.1" && [HTTP::host] eq [IP::local_addr]}{ set bypass 1 } } when ASM_REQUEST_DONE { if {$bypass}{ if {[ASM::violation names] eq "VIOLATION_HTTP_SANITY_CHECK_FAILED" && [ASM::violation attack_types] eq "ATTACK_TYPE_HTTP_PARSER_ATTACK" }{ ASM::unblock } } }I've tested this but had no success, as ASM_REQUEST_DONE seems to never fire in my lab amongst with all ASM_* events for some reason .. I'll look into that when I have some more free time next week.
- Lead
Hi,
If request come from specific IP instead of getting it blocked under ASM violation as (Host Header contains IP address) we want request to be allowed with the help of irule.
Thanks,
Lead
- Lead
Yes it will work, but it will allowed all the traffic
Thanks,
Amit
