Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Oct 03, 2020
Solved

ASM_REQUEST_BLOCKING not being triggered in iRule

Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ?

The "Trigger ASM iRule Events Mode" is set to normal in ASM policy

Running v15.1.0.5

New setup, never tried this before ..

Thanks

  • I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

    this iRule both logs the violation and allows me to rewrite the block page.

    when ASM_RESPONSE_VIOLATION {
     
      log local0. "response violation"
     
      set x [ASM::violation_data]
     
      for {set i 0} { $i < 7 } {incr i} {
          switch $i {
          0         { log local0. "violation=[lindex $x $i]" }
          1         { log local0. "support_id=[lindex $x $i]" }
          2         { log local0. "web_application=[lindex $x $i]" }
          3         { log local0. "severity=[lindex $x $i]" }
          4         { log local0. "source_ip=[lindex $x $i]" }
          5         { log local0. "attack_type=[lindex $x $i]" }
          6         { log local0. "request_status=[lindex $x $i]" }
     
       }}
       
      ASM::payload replace 0 [ASM::payload length] ""
      ASM::payload replace 0 0 "12345607890"
      HTTP::header replace Content-Length [ASM::payload length]
      
    }

    logs

    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation
    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT
    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404
    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1
    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error
    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY
    Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

     once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

22 Replies

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus

      Yes

      I mean I do get the access rejected page, but I get the default page, and I need to customize it.

      like described here: https://support.f5.com/csp/article/K22017023

       

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        and you have the irule associated with the virtual server that also has the ASM profile with the "Trigger ASM iRule Events Mode" enabled?

         

        can you add some log statements to your iRule events to see if they get triggered at all?

         

        does the ltm log show something related at the moment?

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      only thing i saw in previous questions is that it didn't trigger for all types of violations, the example there was data guard which didnt trigger it. you might try a couple of different violation types to rule that out.

       

      but if that is ok and if you got a the configuration setup correctly (which you seem to have) and it still doesnt work then it could be a bug, best to have F5 support have a look at your configuration and determine if it is a bug.

      • Abed_AL-R's avatar
        Abed_AL-R
        Icon for Cirrostratus rankCirrostratus

        The thing with F5 technical support is tey do not support iRules.

        Only in rare cases. or if you have some sort of support level contract ....

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus

      If I do that then my website will not be reached and I'll get this browser error message:

      This page isn’t working
      my.domain.com didn’t send any data.
      ERR_EMPTY_RESPONSE

      I see the iRule triggered but with errors in /var/log/ltm :

      Oct 12 07:30:07 My-F5 info tmm5[14584]: Rule /Common/ASM_custom_block_page_v3 <ASM_REQUEST_DONE>: hello world
      Oct 12 07:30:08 My-F5 err tmm5[14584]: 011f0016:3: http_process_state_prepend - Invalid action:0x10a010 Server sends too much data. serverside (172.26.137.34:443 -> 172.26.137.46:6759) clientside (1.2.3.4:62170 -> 172.26.137.41:443) (Server side: vip=/Common/myserver_test profile=http pool=/Common/srv-myserver server_ip=172.26.137.34)
      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        how is your full iRule looking now?

         

        if you only test with the example from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html

         

        what happens?

  • Hi

    I launched this iRule and tried to create violation, the ASM blocked me , but the ltm log doesn't show anything related to "req block" log. Here is the output:

    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563438358212
    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
    Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563489517902
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
    Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      because you didnt trigger a violation according to the output. violation is empty and it shouldn't be

      yours:

      Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=

      test from me:

      Oct 22 13:40:01 bigip-01 info tmm2[20840]: Rule /Common/irule-asm_blockpage <ASM_REQUEST_DONE>: violation=VIOLATION_REQ_LEN,VIOLATION_OBJ_LEN,VIOLATION_OBJ_TYPE

      there is no violation information at yours and there should be.

      so you have to check if everything is setup correctly, perhaps multiple ASM policies and not having the right one here or ... it is difficult to determine what it could be from a distance.

      reaching out to f5 support would be a good idea if you don't see an issue, it might be a bug. im running 14.1 and don't have 15.1 quickly available.

  • But I did trigger a violation

    I received also a support id and ASM blocked my request

    I will try to reach out the support soon

    Thanks :)

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      can you lookup that support id and share the output (redacted where needed)?

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      ah interesting, a redirect violation, that might be a reason, as it is in the response.

       

      can you try with another kind of violation?

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

      this iRule both logs the violation and allows me to rewrite the block page.

      when ASM_RESPONSE_VIOLATION {
       
        log local0. "response violation"
       
        set x [ASM::violation_data]
       
        for {set i 0} { $i < 7 } {incr i} {
            switch $i {
            0         { log local0. "violation=[lindex $x $i]" }
            1         { log local0. "support_id=[lindex $x $i]" }
            2         { log local0. "web_application=[lindex $x $i]" }
            3         { log local0. "severity=[lindex $x $i]" }
            4         { log local0. "source_ip=[lindex $x $i]" }
            5         { log local0. "attack_type=[lindex $x $i]" }
            6         { log local0. "request_status=[lindex $x $i]" }
       
         }}
         
        ASM::payload replace 0 [ASM::payload length] ""
        ASM::payload replace 0 0 "12345607890"
        HTTP::header replace Content-Length [ASM::payload length]
        
      }

      logs

      Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation
      Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT
      Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404
      Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1
      Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error
      Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY
      Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

       once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

  • Hi

    I tried different violation (illegal file type) and now i can see the req block

    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816978112
    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
    Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=VIOLATION_OBJ_TYPE
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816985952
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Critical
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=ATTACK_TYPE_FORCEFUL_BROWSING
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=blocked
    Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_BLOCKING>: req block
    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus

      Thank you boneyard

      This iRule working fine

      I just had to add "if support id exist" condition in "ASM_REQUEST_DONE" section

       

      when HTTP_REQUEST {
         set requri "https://[HTTP::host][HTTP::uri]"
      }
      when ASM_RESPONSE_VIOLATION {
      log local0. "hello world1"
      #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
           set asm_support_id1 [ASM::support_id]
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1
           set client_ip1 [IP::client_addr]
           set response1 "<html><head><title>Request Rejected</title></head><body>
                                  The requested URL was rejected. Please consult with your administrator.<br><br>
                                  Your support ID is: $asm_support_id1<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
                                  Your URL is: $requri <br><br>
                                  Your client IP is: $client_ip1 
       
                              </body></html>"
                          
          log local0. "req block1"
          ASM::payload replace 0 [ASM::payload length] ""
          ASM::payload replace 0 0 $response1
          HTTP::header replace Content-Length [ASM::payload length]
      }
      when ASM_REQUEST_DONE {
      log local0. "hello world2"
      #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
           set asm_support_id2 [ASM::support_id]
      	 if {[info exists $asm_support_id2]} {
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1
           set client_ip2 [IP::client_addr]
           set response2 "<html><head><title>Request Rejected</title></head><body>
                                  The requested URL was rejected. Please consult with your administrator.<br><br>
                                  Your support ID is: $asm_support_id2<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
                                  Your URL is: $requri <br><br>
                                  Your client IP is: $client_ip2 
       
                              </body></html>"
      }
      }
      when ASM_REQUEST_BLOCKING {
       
        log local0. "req block2"
        
          ASM::payload replace 0 [ASM::payload length] ""
          ASM::payload replace 0 0 $response2
          HTTP::header replace Content-Length [ASM::payload length]
       
      }

       

       

      This is iRule I took to the next level with ifile and custom html/javascript code

      #Created by: AbedB 04-11-2020
      #Do not edit this iRule without AbedB permission
      when HTTP_REQUEST {
         set requri "https://[HTTP::host][HTTP::uri]"
      }
      when ASM_RESPONSE_VIOLATION {
      log local0. "hello world1"
      #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
           set asm_support_id1 [ASM::support_id]
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1
           set client_ip1 [IP::client_addr]
           set response1 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage1.html"]]"
                          
          log local0. "req block1 and supportis is: $asm_support_id1"
          ASM::payload replace 0 [ASM::payload length] ""
          ASM::payload replace 0 0 $response1
          HTTP::header replace Content-Length [ASM::payload length]
      }
      when ASM_REQUEST_DONE {
      log local0. "hello world2"
       
      #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
           set asm_support_id2 [ASM::support_id]
               if {[info exists $asm_support_id2]} {
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1
           set client_ip2 [IP::client_addr]
           set response2 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage2.html"]]"
      }
      }
      when ASM_REQUEST_BLOCKING {
       
        log local0. "req block2"
        
          ASM::payload replace 0 [ASM::payload length] ""
          ASM::payload replace 0 0 $response2
          HTTP::header replace Content-Length [ASM::payload length]
       
      }