Forum Discussion
ndel_119904
Nimbostratus
NimbostratusiRule to bypass specific ASM blocking
Hey guys,
One of my servers is issuing a URL to an F5 virtual server, but ASM is blocking the request because it's seeing it as an "evasion technique." The URL does indeed have a '%' at the end of it, so I understand why it's being blocked.
Can an iRule bypass ASM Evasion Techniques if the request is coming from a specific IP?
I was looking at the iRule command 'ASM::violation_data,' but that doesn't look like it's intended to bypass attack methods, but rather only used to tell you if an attack method was triggered.
I know I can setup an iRule to disable ASM entirely if the request matches a particular source IP, and that'll be a last resort if there's no way to be granular about the request.
Thanks!
1 Reply
Mike_MaherSo I think something like this would work
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")
and ([whereis [IP::client_addr]] equals "1.2.3.4")
}
pool pool1
}
However what Evasion Tech is this request falling under? Is it the Multiple Decodings violation, if so I see that a lot and I normally just change the level from 2 to 3 as I don't really see that as a significant increase in risk to the application. My understanding of ASM is that it will decode the request anyway to see if there is an attack hiding behind obsfucation.
