For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ndel_119904's avatar
ndel_119904
Icon for Nimbostratus rankNimbostratus
Mar 08, 2013

iRule to bypass specific ASM blocking

Hey guys,   One of my servers is issuing a URL to an F5 virtual server, but ASM is blocking the request because it's seeing it as an "evasion technique." The URL does indeed have a '%' at the en...
application delivery
dev
devops
iRules
Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Mar 08, 2013
So I think something like this would work

 

 

when ASM_REQUEST_VIOLATION

 

{

 

set x [ASM::violation_data]

 

 

for {set i 0} { $i < 7 } {incr i} {

 

switch $i {

 

0 { log local0. "violation=[lindex $x $i]" }

 

1 { log local0. "support_id=[lindex $x $i]" }

 

2 { log local0. "web_application=[lindex $x $i]" }

 

3 { log local0. "severity=[lindex $x $i]" }

 

4 { log local0. "source_ip=[lindex $x $i]" }

 

5 { log local0. "attack_type=[lindex $x $i]" }

 

6 { log local0. "request_status=[lindex $x $i]" }

 

 

}}

 

 

if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")

 

and ([whereis [IP::client_addr]] equals "1.2.3.4")

 

}

 

 

pool pool1

 

 

}

 

 

However what Evasion Tech is this request falling under? Is it the Multiple Decodings violation, if so I see that a lot and I normally just change the level from 2 to 3 as I don't really see that as a significant increase in risk to the application. My understanding of ASM is that it will decode the request anyway to see if there is an attack hiding behind obsfucation.