Forum Discussion
Lead
Nimbostratus
Nimbostratusirule creation based on Host Address contains IP Address
help in creating irule for disabling ASM policy when traffic from certain Source IP address and violation triggered as Host header contains IP address
LeadNimbostratus
NimbostratusHi,
Additionaly we want 1 more condition if request blocked under ASM violation (Host header contain IP address)
then only it gets allowed and for other violation it should gets blocked only.
Thanks,
Amit
CA_Valli
MVP
MVP
Hello, I've been messing with lab a little and I've seen that this violation triggers "HTTP protocol compliance failed" violation with "HTTP parser attack" (I'm running v13.x)
So, according to https://clouddocs.f5.com/api/irules/ASM__violation_data.html we should be able to intercept this running the following:
when HTTP_REQUEST {
set bypass 0
if {[IP::client_addr] eq "10.0.0.1" && [HTTP::host] eq [IP::local_addr]}{ set bypass 1 }
}
when ASM_REQUEST_DONE {
if {$bypass}{
if {[ASM::violation names] eq "VIOLATION_HTTP_SANITY_CHECK_FAILED" && [ASM::violation attack_types] eq "ATTACK_TYPE_HTTP_PARSER_ATTACK" }{ ASM::unblock }
}
}
I've tested this but had no success, as ASM_REQUEST_DONE seems to never fire in my lab amongst with all ASM_* events for some reason .. I'll look into that when I have some more free time next week.