Forum Discussion
NimbostratusiRule to permit access on a specific URL from a source IP on the ASM
Hey guys,
One of my clients is issuing a URL to an F5 virtual server, but ASM is blocking the request because it's seeing it as an "illegal URL" violation and its attack type is "forceful browsing". The URL is not learned from the ASM Security Policy , so I understand why it's being blocked.
Can an iRule permit this specific URL that is not allowed by the ASM Security Policy if the request is coming from a specific IP?
Thanks!
9 Replies
Cory_50405Noctilucent
Forceful browsing is an attack type, but not the specific violation. What is the access violation that's being reported on his connection attempt?
Serge_Ghanem_83the specific violation is : " Illegal URL"
Can we write our Irule based on the attack type, like i have written in the below:
when ASM_REQUEST_VIOLATION { set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "attack_type=[lindex $x $i]" } 1 { log local0. "violation=[lindex $x $i]" } 2 { log local0. "support_id=[lindex $x $i]" } 3 { log local0. "web_application=[lindex $x $i]" } 4 { log local0. "severity=[lindex $x $i]" } 5 { log local0. "source_ip=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "ATTACK_TYPE_FORCEFUL_BROWSING") and ([whereis [IP::client_addr]] equals "1.2.3.4") }
pool test_pool member 10.11.12.13 443
}
Thanks!!
- Cory_50405
You might want to add ASM::disable into your actions as well:
when ASM_REQUEST_VIOLATION { set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "attack_type=[lindex $x $i]" } 1 { log local0. "violation=[lindex $x $i]" } 2 { log local0. "support_id=[lindex $x $i]" } 3 { log local0. "web_application=[lindex $x $i]" } 4 { log local0. "severity=[lindex $x $i]" } 5 { log local0. "source_ip=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } } } if {([lindex $x 0] contains "ATTACK_TYPE_FORCEFUL_BROWSING") and ([IP::client_addr] equals "1.2.3.4") } { ASM::disable pool test_pool member 10.11.12.13 443 } } - Serge_Ghanem_83
Thank you Cory for your Help, But it didn't work. Do you have any other idea of an Irule that can be applied for the same reason?
Thanks.
- Cory_50405
Did the logging statements work? Exactly what didn't work?
- Serge_Ghanem_83
unfortunately i am not an expert with Irules. What do you mean by logging statements?
- Cory_50405
The 'log local0' statements in your for statement... Are the expected entries being written to /var/log/ltm?
I'm wondering if you should just remove the 'pool test_pool member 10.11.12.13 443' statement from your iRule and just disable ASM.
- Serge_Ghanem_83
I have tried to remove the pool from the Irule and i am still getting the same below error in the ASM log statement:
[SECEV] Request blocked, violations: Illegal URL. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: N/A. Virus name: N/A. Support id: 15958200311141796981, source ip: 1.2.3.4, xff ip: N/A, source port: 41203, destination ip: 5.6.7.8, destination port: 443, route_domain: 0, HTTP classifier: /Common/test_class, scheme HTTPS, geographic location: , request: , username: , session_id: <1c92c42d2ac662b2>
It seems that the Irule is not triggering no??
- Cory_50405
That's the ASM log entry. Is anything showing up in /var/log/ltm? When using local0, that should log to /var/log/ltm.
