Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

ASM irule to disable attack signature authorization header with specific value

Go to solution
f5learner
Nimbostratus
Nimbostratus

‎10-Apr-2023 13:50

hello is there an irule to DISABLE ASM attack signature on the Authorization header if value contains "Bearer" but still check attack signature on rest of the payload

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Enes_Afsin_Al
MVP
MVP

‎10-Apr-2023 16:47

Hi f5learner,

Can you try this iRule?

when ASM_REQUEST_DONE {
    if { [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [HTTP::header Authorization] starts_with "Bearer" } {
        ASM::unblock
    }
}

Trigger ASM iRule Events Mode should be set Normal on the WAF policy.

Note that if the request has any violations other than "attack signature detected", the request will be completely unblocked.

View solution in original post

0 Kudos

Go to solution
Enes_Afsin_Al
MVP
MVP

‎20-Apr-2023 15:48

Hi,

When more than one violation occurs, if "Block" is active in one violation, but not in the other violation, the request_status for ASM::violation_data does not occur individually. It is defined as "block".

A separate control is required for violations that are not in the block. I think, rather than using such an iRule, a simple policy should be preferred.

https://clouddocs.f5.com/api/irules/ASM__violation_data.html

View solution in original post

0 Kudos
10 REPLIES 10

Go to solution
Enes_Afsin_Al
MVP
MVP

‎10-Apr-2023 16:47

Hi f5learner,

Can you try this iRule?

when ASM_REQUEST_DONE {
    if { [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [HTTP::header Authorization] starts_with "Bearer" } {
        ASM::unblock
    }
}

Trigger ASM iRule Events Mode should be set Normal on the WAF policy.

Note that if the request has any violations other than "attack signature detected", the request will be completely unblocked.

0 Kudos

Go to solution
f5learner
Nimbostratus
Nimbostratus
In response to Enes_Afsin_Al

‎10-Apr-2023 20:34

thank you so much for response you mentioned
"Note that if the request has any violations other than "attack signature detected", the request will be completely unblocked." 

how can I ensure that other violations are not completely unblocked and get assessed by other WAF rules. I only want to disable attack signatures on HTTP header authorization with value containing "Bearer" , the remaining payload and other requests should be evaluated as normal.

Also in above syntax how can I also enable logging everytime authorization header containing Bearer bypasses.
Thank you so much for your help

0 Kudos

Go to solution
Enes_Afsin_Al
MVP
MVP

‎11-Apr-2023 17:58

Hi,

Can you test this iRule?

when ASM_REQUEST_DONE {
    if { [ASM::violation names] eq "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [b64decode [llookup [ASM::violation details] "header.header_name"]] eq "Authorization" && [HTTP::header Authorization] starts_with "Bearer" } {
        log local0. "Request unblocked - URI: [HTTP::uri] - ClientIP: [IP::client_addr] - Authorization: [HTTP::header Authorization]"
        ASM::unblock
    }
}

With this iRule, the request will be unblocked only if occurs following conditions:

  • Only Attack signature violation occurs
  • Attack signature is in the Authorization header
  • Authorization header starts with Bearer

In all other cases, the blocking will continue.
You can view the logs in the /var/log/ltm.

0 Kudos

Go to solution
f5learner
Nimbostratus
Nimbostratus
In response to Enes_Afsin_Al

‎12-Apr-2023 13:56

thank you so much, looks like we are almost there but still not working. is it because above provided irule ONLY expecting attack signature violation but there is also "Modified domain cookie" detection. However modified cookie is in ALARM mode. so should further modification needed? please see below screenshots

f5learner_1-1681332811305.png

f5learner_2-1681332850156.png

f5learner_3-1681332867898.png

 

 

 

 

0 Kudos

Go to solution
f5learner
Nimbostratus
Nimbostratus
In response to f5learner

‎13-Apr-2023 22:51

please let me know if you need furhter inforamtion, thank you so much for your assistance 

0 Kudos

Go to solution
Enes_Afsin_Al
MVP
MVP

‎16-Apr-2023 08:47

Hi,

If a violation other than "Attack Signature Detected" occurs, it will not match the if statement in the iRule.

Could you try with "contains" instead of "equals" in the if statement?

when ASM_REQUEST_DONE {
    if { [ASM::violation names] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [b64decode [llookup [ASM::violation details] "header.header_name"]] eq "Authorization" && [HTTP::header Authorization] starts_with "Bearer" } {
        log local0. "Request unblocked - URI: [HTTP::uri] - ClientIP: [IP::client_addr] - Authorization: [HTTP::header Authorization]"
        ASM::unblock
    }
}

 

0 Kudos

Go to solution
f5learner
Nimbostratus
Nimbostratus
In response to Enes_Afsin_Al

‎18-Apr-2023 10:41

Thank you for your help 

by changing to CONTAINS allowed bypass for other violations in Blocking mode as well, for example I blacklisted my source IP but the request was allowed so that should not happen

The flow could look like this

Part one

if ONLY violation name VIOLATION_ATTACK_SIGNATURE exist with Authorization header with value starts with Bearer - Unblock
it can be achieved per your initial help with following if statement with eq

if { [ASM::violation names] eq "VIOLATION_ATTACK_SIGNATURE_DETECTED" && [b64decode [llookup [ASM::violation details] "header.header_name"]] eq "Authorization" && [HTTP::header Authorization] starts_with "Bearer" }

second part would be

if ONLY violation name VIOLATION_ATTACK_SIGNATURE exist with Authorization header with value starts with Bearer (first part above) BUT ALSO ANY another violation exist BUT with ONLY Applied Blocking Settings Alarm and Learn or ALARM OR LEARN - then Unblock as well

accomplishing second part above would also ensure that Part one above will not be impacted if other triggers are only in alarm/learn mode?

0 Kudos

Go to solution
f5learner
Nimbostratus
Nimbostratus
In response to f5learner

‎20-Apr-2023 10:12

I am not sure if it is possible to be that granular? please let me know thank you for your help

0 Kudos

Go to solution
Enes_Afsin_Al
MVP
MVP

‎20-Apr-2023 15:48

Hi,

When more than one violation occurs, if "Block" is active in one violation, but not in the other violation, the request_status for ASM::violation_data does not occur individually. It is defined as "block".

A separate control is required for violations that are not in the block. I think, rather than using such an iRule, a simple policy should be preferred.

https://clouddocs.f5.com/api/irules/ASM__violation_data.html

0 Kudos

Go to solution
f5learner
Nimbostratus
Nimbostratus
In response to Enes_Afsin_Al

‎25-Apr-2023 11:07

thank you so much for all the help

0 Kudos
Copyright © 2023 Khoros, LLC