Forum Discussion
AliCanS
Nimbostratus
NimbostratusiRule newbie - Whitelisting IP address for Spesific URL and Attack Pattern
Hello community,
One of our third party applications have false-positive blocks for spesific attack pattern,
which we want to whitelist, but as our f5 support explained that it cannot be done to a spesific IP, it needs to be url and pattern based without ip limitation.
Im not expecting much, what is the reason behind it? Performance?
Is this can be done?,
IP: x.x.x.x
Pattern: 200002034 - SQL-INJ "ifnull"
URL: "/path/to/excluded/url1"
Your comments are valuable!
Chatgpt output for exact same question, but couldnt tested it.
when ASM_REQUEST {
# Get the client IP address
set client_ip [IP::client_addr]
# Get the URL path from the request
set url [HTTP::uri]
# List of URLs to exclude from security checks
set excluded_urls {
"/path/to/excluded/url1"
"/path/to/excluded/url2"
"/path/to/excluded/url3"
# Add more URLs as needed
}
# Define the attack pattern to exclude
set excluded_attack_pattern "2000010101"
# Check if the client IP, requested URL, and attack pattern match the criteria
if { $client_ip eq "x.x.x.x" && [lsearch -exact $excluded_urls $url] != -1 && [ASM::policy has_attack $excluded_attack_pattern] } {
ASM::disable
}
}
- AubreyKingF5
Moderator
I think it can be done, but not w/ an ASM irule. I can't write this now, as I'm sick and on quick, but the idea is to take the asm policy off the vip, then use an irule like this:
- when http_request, check URI.
- if uri matches [list of disallowed uris], exit the irule.
- else, if no match, apply ASM policy.
I am going to tell you, though.. depending on traffic levels, this could get computationally expensive.
