Forum Discussion

Lead's avatar
Lead
Icon for Nimbostratus rankNimbostratus
Jan 13, 2023

irule creation based on Host Address contains IP Address

help in creating irule for disabling ASM policy when traffic from certain Source IP address and violation triggered as Host header contains IP address
application delivery
CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP

Assuming that HTTP::host will always match VS IP:

when HTTP_REQUEST {
  if {[HTTP::host] eq [IP::local_addr] }{ ASM::disable }
}
Lead's avatar
Lead
Icon for Nimbostratus rankNimbostratus
Jan 13, 2023

Hi,

Additionaly we want 1 more condition if request blocked under ASM violation (Host header contain IP address)

then only it gets allowed and for other violation it should gets blocked only.

 

Thanks,

Amit

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Jan 13, 2023

     

    Hello, I've been messing with lab a little and I've seen that this violation triggers "HTTP protocol compliance failed" violation with "HTTP parser attack" (I'm running v13.x) 

    So, according to https://clouddocs.f5.com/api/irules/ASM__violation_data.html  we should be able to intercept this running the following:

     

    when HTTP_REQUEST {
  set bypass 0
  if {[IP::client_addr] eq "10.0.0.1" && [HTTP::host] eq [IP::local_addr]}{ set bypass 1 }
}
when ASM_REQUEST_DONE {
  if {$bypass}{
     if {[ASM::violation names] eq "VIOLATION_HTTP_SANITY_CHECK_FAILED" && [ASM::violation attack_types] eq "ATTACK_TYPE_HTTP_PARSER_ATTACK" }{ ASM::unblock }
  }
}

     

     

    I've tested this but had no success, as ASM_REQUEST_DONE seems to never fire in my lab amongst with all ASM_* events for some reason .. I'll look into that when I have some more free time next week.