Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

jmgrange_337011's avatar
jmgrange_337011
Icon for Nimbostratus rankNimbostratus
May 02, 2018

SQL-Injection bypass and logging iRule

I am working on an iRule that will unblock traffic going to URLs in a Data Group and log when it does so. This is what I have and want to have it reviewed to make sure it is written correctly. ...
big-ip
irules
security
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
May 03, 2018

hello,

You will see trafic in /var/log/ltm

 when ASM_REQUEST_DONE {

if { [class match [HTTP::uri] equals "DataGroup1"] } { 
    if { [ASM::violation attack_types] equals "ATTACK_TYPE_SQL_INJECTION"} { 
        ASM::unblock
        log local0. "ASM_LOGS: SQL-Injection bypass for [HTTP::uri] from [IP::remote_addr]"
    } 
} else { 
   log local0. "ASM_LOGS: More than one type of violation, too dangerous to Unblock return"

} 
}

and of course there must be traffic and our condition has to be triggered.

First of try to trigg URI set in your Datagroup1 (and check logs) then try to lunch an sql injection from autorized URI (and check logs). more /var/log/ltm | grep "ASM_LOGS:"

If you have nothing in the ltm logs it's mean that your request was not unblock and that our irule don't trigged. That's mean that you will see the the request in the "ASM event logs". And if you have nothing in the asm that's mean that asm analyse your request not like an attack...

Last point: why you don't set this exception directly in ASM?

Regards