Forum Discussion

Albert_252822's avatar
Albert_252822
Icon for Nimbostratus rankNimbostratus
Aug 22, 2016

ASM iRule events not working

Hi all,

I activated this irule in my Virtual Server:

 

when HTTP_REQUEST {    
  set redirect 0
  set requri [HTTP::uri]
}
when ASM_REQUEST_BLOCKING {
    set redirect 1
}
when HTTP_RESPONSE {
    if { $redirect } {
        switch -glob $requri {
            /url1* { HTTP::redirect "https://url1/index" }
            /url2* { HTTP::redirect "https://url2/index" }
            /url3* { HTTP::redirect "https://url3/index" }
        default { }
        }
    }
}

 

I also enabled the "Trigger ASM iRule Events" option on my ASM security Policy which is in Blocking Mode. But, even so, redirections don't work after a violation is triggered.

Any ideas?

12 Replies

  • The irule don't work neither using HTTP:redirect " nor using HTTP::respond 302 Location "

     

  • Have not tested, but in theory, this should do what you want:

     

    when ASM_REQUEST_DONE {
      if { [ASM::status] equals "blocked" } {
        switch -glob [string tolower [HTTP::path]] {
          "/url1*" { 
            ASM::unblock
            HTTP::respond 302 Location "https://url1/index" Connection Close
          }
          "/url2*" { 
            ASM::unblock
            HTTP::respond 302 Location "https://url2/index" Connection Close
          }
          "/url3*" { 
            ASM::unblock
            HTTP::respond 302 Location "https://url3/index" Connection Close
          }
          default { }
        }
      }
    }
    

     

    • Albert_252822's avatar
      Albert_252822
      Icon for Nimbostratus rankNimbostratus

      Hi Hannes, thanks for your help.

       

      I tested this irule replacing my whole irule and it doesn't work. I have the same result, after a violation I see the ASM Default Response Page.

       

      I'm sure I'm missing something but I can't find it. My ASM Security Policy has "Trigger ASM iRule Events" enabled and "ASM iRules Event Mode" in Normal Mode. I also have the Default Response Page configured (code 200 - OK)

       

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus

      I can just recommend to check /var/log/ltm - are there any iRule processing tcl errors? Make sure this iRule has priority by moving it first in the list of order, or use the 'priority' function.

       

      Also note that if possible to invoke a redirect from ASM_REQUEST_BLOCKING event, rather use the sample Stanislas posted. This possibility varies across BigIP versions.

       

    • Albert_252822's avatar
      Albert_252822
      Icon for Nimbostratus rankNimbostratus

      My original irule is not showing any errors on logs. Although is not working properly, there aren't syntax errors:

       

      info: ASM blocking

       

  • Hi,

    you can use HTTP::redirect inside ASM_REQUEST_BLOCKING :

     

    when ASM_REQUEST_BLOCKING {
        switch -glob [HTTP::path] {
            /url1* { HTTP::redirect "https://url1/index" }
            /url2* { HTTP::redirect "https://url2/index" }
            /url3* { HTTP::redirect "https://url3/index" }
        default { }
        }
    }
    

     

  • two other provided some specific iRule assitence i can only add that you should add logging to determine if the events get hit at all or not.

     

  • I had this line in my ASM_REQUEST_BLOCKING block but I didn't include it in my post:

     

    log local0. "ASM blocking"

     

    Where should I see this message in case violations are triggered? ASM Event Logs only shows the violations. Maybe system logs?

  • local0. events are wrote in /var/log/ltm file.

     

    you can see this logs in System / Logs / local traffic

     

  • Hi,

     

    After some tests, the solution is to use your first irule, but change event HTTP_RESPONSE by HTTP_RESPONSE_RELEASE.

     

    it work on my lab with version 12.1

     

  • why cant we use when ASM_REQUEST_DONE rather using when ASM_REQUEST_BLOCKING ??

    -Jinshu

  • Hi Folks,

    in the past I've experienced some major issues using the regular ASM redirect responses pointing to an ASM enabled default/error page.

    The problem was that a poorly written Bot/Crawler/VA-Scanner was getting blocked because of its User-Agent information. The client was able to follow the ASM redirects, resulting in another blocked request and then just ended up in an endless redirect loop, which had consumed lots of system ressources over hours.

    I've analysed the possibilities to manipulate the default blocking page behavior and ended up with a solution which detects HTTP::redirect loops and retrives the [ASM::support_id] during ASM_REQUEST_DONE and then manipulated the regular ASM violation page response, to become either a JScript redirect page or a static 200 OK error page, using the [ASM::payload] command during ASM_REQUEST_BLOCKING event.

    Note: The iRule passes the RequestID to the redirected site as a B64encoded query string. The query string is then used to detect the redirect loop and send the 200OK response displaying the RequestID of the initial violation.

    Integration iRule event:

     

    when HTTP_REQUEST {
        if { [HTTP::host] eq "www.site.de" } then {
            set ASM_Policy_Violation_Page_URL "/default.aspx"       
        } elseif { [HTTP::host] eq "www2.site.de" } then {
            set ASM_Policy_Violation_Page_URL "/sites/default.aspx" 
        }
    }
    

     

    ASM iRule Events:

     

    when ASM_REQUEST_DONE {
    
        
         Purpose      : The GLOBAL_ASM_ViolationPage_Selector file is responsible   
                        for controling redirects to different ASM errorpages.
        
         Author       : Kai Wilke (kw@itacs.de)
         Date         : 16.01.2015
         Version      : v3.1 (Build 3100.0)
        
         Dependencies : Enable "Trigger ASM iRule Events"
                        Enable "Normal" ASM iRules Event mode
                        Set Violation Page response to "Default Response"
    
         set debug 0
         set log_prefix "Debug: \"[HTTP::uri]\" >"
    
         if { $debug } { log -noname local0. "$log_prefix --- Entering \"ASM_Selector\" ASM_REQUEST_DONE iRule ---" }
    
        if { [ASM::status] eq "blocked" } then {
    
    
            
              Handler for ASM Policy Violations
    
    
             if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation\" Handler +++" }
             if { $debug } { log -noname local0. "$log_prefix An ASM Policy Violation ocoured. Evalutating error page settings for this request and preparing the response." }
    
            if { [info exist ASM_Policy_Violation_Page_URL] } then {
    
    
                
                  Handler for ASM Violation Custom Error Pages
    
    
                if { [URI::query [HTTP::uri] RequestID] eq "" } then {
    
    
                    
                      Handler for ASM Violation Custom ErrorPage redirects
    
    
                     if { $debug } { log -noname local0. "$log_prefix The HTTP-Request does not contain a \"RequestID\" query string. Preparing redirect to \"$ASM_Policy_Violation_Page_URL\" handler." }
    
                    set asm_policy_violation_response "$ASM_Policy_Violation_Page_URL?RequestID= [b64encode "SupportID: [ASM::support_id]"]"
    
                } else {
    
    
                    
                      Handler for ASM Violation Redirect Loop Detection 
    
    
                     if { $debug } { log -noname local0. "$log_prefix HTTP-Request contains a \"RequestID\" query string. Disabling the custom page redirects to avoid loops." }
                     if { $debug } { log -noname local0. "$log_prefix Enumerating the existing ASM Violation ID and setting up the static violation error page." }
    
                    catch { b64encode [b64decode [URI::query [HTTP::uri] RequestID]] } asm_policy_violation_existing_id
                    if { $asm_policy_violation_existing_id eq "" } then {
    
                         if { $debug } { log -noname local0. "$log_prefix Existing ASM Violation ID couldnt be retrieved. Generating empty session id within custom response." }
    
                        set asm_policy_violation_response "200ok U3VwcG9ydElEOiBNYWxmb3JtZWQgU3VwcG9ydElEIHJlY2VpdmVk"
    
                    } else {
    
                         if { $debug } { log -noname local0. "$log_prefix Existing ASM Violation ID retrieved successfully. Using existing session id within custom response." }
    
                        set asm_policy_violation_response "200ok $asm_policy_violation_existing_id"
    
                    }
    
                    unset -nocomplain asm_policy_violation_existing_id
    
                }
    
                 if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPages\" Handler +++" }
    
                unset -nocomplain ASM_Policy_Violation_Page_URL 
    
            } else {
    
    
                
                  Handler for ASM Violation Static Error Page
    
    
                 if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
                 if { $debug } { log -noname local0. "$log_prefix Setting up the static violation error page and sending page to the client." }
    
                set asm_policy_violation_response "200ok [b64encode "SupportID: [ASM::support_id]"]"
    
                 if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
    
            }
    
        }
    
         if { $debug } { log -noname local0. "$log_prefix --- Leaving \"ASM_Selector\" ASM_REQUEST_DONE iRule ---" }
    
    }
    
    when ASM_REQUEST_BLOCKING {
    
    
         set debug 0
         set log_prefix "Debug: \"[HTTP::uri]\" >"
    
    
        
          Handler for ASM Violation Blocking Page Overwrite
    
    
         if { $debug } { log -noname local0. "$log_prefix --- Entering \"ASM_Selector\" ASM_REQUEST_BLOCKING iRule ---" }
         if { $debug } { log -noname local0. "$log_prefix Evaluate \"asm_policy_violation_response\" parameter to decide if client side redirect code are required." }
    
        if { $asm_policy_violation_response starts_with "200ok " } then {
    
    
            
              Handler for ASM Violation Static Error Page
    
    
             if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
             if { $debug } { log -noname local0. "$log_prefix Setting up the violation error page without client side redirect code." }
    
            set response "
    
        
            Illegal Request
        
        
            
                
                    StatusAn illegal request was received.
                
                
                    SupportID[lindex $asm_policy_violation_response 1]
                
            
        
    "
    
             if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Static_ErrorPage\" Handler +++" }
    
        } else {
    
    
            
              Handler for ASM Violation Custom Error Page Redirect
    
    
             if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Custom_ErrorPage_Redirect\" Handler +++" }
             if { $debug } { log -noname local0. "$log_prefix Setting up the violation error page with client side redirect code." }
    
            set response "
    
        
            Illegal Request
            
        
        
            
            
                
                    StatusAn illegal request was received.
                
                
                    SupportID[lindex $asm_policy_violation_response 1]
                
            
        
    "
    
             if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPage_Redirect\" Handler +++" }
    
        }
    
        unset -nocomplain asm_policy_violation_response
    
    
        
          Handler for ASM Violation Custom Error Page replacement
    
    
         if { $debug } { log -noname local0. "$log_prefix +++ Entering \"ASM_Policy_Violation_Custom_ErrorPage_Replacement\" Handler +++" }
         if { $debug } { log -noname local0. "$log_prefix Erasing the global definied ASM blocking page." }
    
        ASM::payload replace 0 [ASM::payload length] ""
    
         if { $debug } { log -noname local0. "$log_prefix Setting the custom ASM blocking page." }
    
        ASM::payload replace 0 0 $response
        unset -nocomplain response
    
         if { $debug } { log -noname local0. "$log_prefix Adjusting the \"Content-Length\" to reflect new \"ASM_Payload_Length\"." }
    
        HTTP::header remove Content-Length
        HTTP::header insert Content-Length [ASM::payload length]
    
         if { $debug } { log -noname local0. "$log_prefix +++ Leaving \"ASM_Policy_Violation_Custom_ErrorPage_Replacement\" Handler +++" }
         if { $debug } { log -noname local0. "$log_prefix --- Leaving \"ASM_Selector\" ASM_REQUEST_BLOCKING iRule ---" }
    
    }
    

     

    Cheers, Kai