Forum Discussion
Lead
Nimbostratus
Hi,
Additionaly we want 1 more condition if request blocked under ASM violation (Host header contain IP address)
then only it gets allowed and for other violation it should gets blocked only.
Thanks,
Amit
CA_Valli
Jan 13, 2023MVP
Hello, I've been messing with lab a little and I've seen that this violation triggers "HTTP protocol compliance failed" violation with "HTTP parser attack" (I'm running v13.x)
So, according to https://clouddocs.f5.com/api/irules/ASM__violation_data.html we should be able to intercept this running the following:
when HTTP_REQUEST {
set bypass 0
if {[IP::client_addr] eq "10.0.0.1" && [HTTP::host] eq [IP::local_addr]}{ set bypass 1 }
}
when ASM_REQUEST_DONE {
if {$bypass}{
if {[ASM::violation names] eq "VIOLATION_HTTP_SANITY_CHECK_FAILED" && [ASM::violation attack_types] eq "ATTACK_TYPE_HTTP_PARSER_ATTACK" }{ ASM::unblock }
}
}
I've tested this but had no success, as ASM_REQUEST_DONE seems to never fire in my lab amongst with all ASM_* events for some reason .. I'll look into that when I have some more free time next week.