cancel
Showing results for 
Search instead for 
Did you mean: 

ASM_REQUEST_BLOCKING not being triggered in iRule

Abed_AL-R
Cirrostratus
Cirrostratus

Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ?

The "Trigger ASM iRule Events Mode" is set to normal in ASM policy

Running v15.1.0.5

New setup, never tried this before ..

Thanks

1 ACCEPTED SOLUTION

I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

 

this iRule both logs the violation and allows me to rewrite the block page.

 

when ASM_RESPONSE_VIOLATION {   log local0. "response violation"   set x [ASM::violation_data]   for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" }   }} ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "12345607890" HTTP::header replace Content-Length [ASM::payload length] }

logs

 

Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

 once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

View solution in original post

22 REPLIES 22

boneyard
MVP
MVP

to be sure you are creating violations right?

 

different types?

Yes

I mean I do get the access rejected page, but I get the default page, and I need to customize it.

like described here: https://support.f5.com/csp/article/K22017023

 

and you have the irule associated with the virtual server that also has the ASM profile with the "Trigger ASM iRule Events Mode" enabled?

 

can you add some log statements to your iRule events to see if they get triggered at all?

 

does the ltm log show something related at the moment?

Yes It is the same VS.

And yes I tried to add log.local to the iRule but nothing detected at the section of "ASM_REQUEST_BLOCKING"..

Abed_AL-R
Cirrostratus
Cirrostratus

Does anyone has any idea on how to solve this?

only thing i saw in previous questions is that it didn't trigger for all types of violations, the example there was data guard which didnt trigger it. you might try a couple of different violation types to rule that out.

 

but if that is ok and if you got a the configuration setup correctly (which you seem to have) and it still doesnt work then it could be a bug, best to have F5 support have a look at your configuration and determine if it is a bug.

The thing with F5 technical support is tey do not support iRules.

Only in rare cases. or if you have some sort of support level contract ....

they don't support full debugging / writing of iRules, but they will in my experience assist in something like this or if something clearly fails. specially when you are just following F5 articles and do something relatively simple as this. i would certainly try them.

crodriguez
F5 Employee
F5 Employee

Have you tried using ASM_REQUEST_DONE instead of ASM_REQUEST_VIOLATION? ASM_REQUEST_VIOLATION was deprecated in v11.5 and replaced with ASM_REQUEST_DONE.

If I do that then my website will not be reached and I'll get this browser error message:

This page isn’t working my.domain.com didn’t send any data. ERR_EMPTY_RESPONSE

I see the iRule triggered but with errors in /var/log/ltm :

Oct 12 07:30:07 My-F5 info tmm5[14584]: Rule /Common/ASM_custom_block_page_v3 <ASM_REQUEST_DONE>: hello world Oct 12 07:30:08 My-F5 err tmm5[14584]: 011f0016:3: http_process_state_prepend - Invalid action:0x10a010 Server sends too much data. serverside (172.26.137.34:443 -> 172.26.137.46:6759) clientside (1.2.3.4:62170 -> 172.26.137.41:443) (Server side: vip=/Common/myserver_test profile=http pool=/Common/srv-myserver server_ip=172.26.137.34)

 

how is your full iRule looking now?

 

if you only test with the example from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html

 

what happens?

This is my current iRule

 

when HTTP_REQUEST { set requri "https://[HTTP::host][HTTP::uri]" } when ASM_REQUEST_DONE { log local0. "hello world" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id [ASM::support_id] HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip [IP::client_addr] set response "<html> <head> <title>Request Rejected</title> </head> <body> The requested URL was rejected. Please consult with your administrator.<br><br> Your support ID is: $asm_support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br> Your URL is: $requri Your client IP is: $client_ip   </body> </html>" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response   }

 

so that was an interesting one, took me a few tries to get something working.

 

the cloud docs suggest that ASM::payload works in most of the ASM events, but for me it only seems to work in ASM_REQUEST_BLOCKING, well certainly the replace only works there.

 

there is also a known issue which shouldn't be an issue for 14.1 but is for me: https://support.f5.com/csp/article/K13696

 

so if you set the irule events mode to normal then you use ASM_REQUEST_DONE (instead of the two other ones) but can only check for what happened.

 

the replacing still has to happen in ASM_REQUEST_BLOCKING.

 

can you try something like this and show the ltm log output?

when ASM_REQUEST_DONE {   log local0. "req done" set x [ASM::violation_data]   for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" }   }}   }   when ASM_REQUEST_BLOCKING {   log local0. "req block" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "abcdefghi" HTTP::header replace Content-Length [ASM::payload length]   }

this is 14.1.2.3 (lab) btw, so things might have changed in 15.1 although i can't find details on that.

 

Abed_AL-R
Cirrostratus
Cirrostratus

Hi

 

I launched this iRule and tried to create violation, the ASM blocked me , but the ltm log doesn't show anything related to "req block" log. Here is the output:

Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation= Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563438358212 Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type= Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation= Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563489517902 Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type= Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear

 

 

 

because you didnt trigger a violation according to the output. violation is empty and it shouldn't be

 

yours:

Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=

test from me:

Oct 22 13:40:01 bigip-01 info tmm2[20840]: Rule /Common/irule-asm_blockpage <ASM_REQUEST_DONE>: violation=VIOLATION_REQ_LEN,VIOLATION_OBJ_LEN,VIOLATION_OBJ_TYPE

there is no violation information at yours and there should be.

 

so you have to check if everything is setup correctly, perhaps multiple ASM policies and not having the right one here or ... it is difficult to determine what it could be from a distance.

 

reaching out to f5 support would be a good idea if you don't see an issue, it might be a bug. im running 14.1 and don't have 15.1 quickly available.

Abed_AL-R
Cirrostratus
Cirrostratus

But I did trigger a violation

I received also a support id and ASM blocked my request

I will try to reach out the support soon

Thanks 🙂

can you lookup that support id and share the output (redacted where needed)?

Abed_AL-R
Cirrostratus
Cirrostratus

Sure

Attached

0691T000009jEZlQAM.jpg

ah interesting, a redirect violation, that might be a reason, as it is in the response.

 

can you try with another kind of violation?

I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

 

this iRule both logs the violation and allows me to rewrite the block page.

 

when ASM_RESPONSE_VIOLATION {   log local0. "response violation"   set x [ASM::violation_data]   for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" }   }} ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 "12345607890" HTTP::header replace Content-Length [ASM::payload length] }

logs

 

Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1 Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

 once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

Abed_AL-R
Cirrostratus
Cirrostratus

Hi

 

I tried different violation (illegal file type) and now i can see the req block

Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation= Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816978112 Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type= Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=VIOLATION_OBJ_TYPE Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816985952 Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Critical Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4 Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=ATTACK_TYPE_FORCEFUL_BROWSING Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=blocked Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_BLOCKING>: req block

 

 

Thank you boneyard

This iRule working fine

I just had to add "if support id exist" condition in "ASM_REQUEST_DONE" section

 

when HTTP_REQUEST { set requri "https://[HTTP::host][HTTP::uri]" } when ASM_RESPONSE_VIOLATION { log local0. "hello world1" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id1 [ASM::support_id] HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip1 [IP::client_addr] set response1 "<html><head><title>Request Rejected</title></head><body> The requested URL was rejected. Please consult with your administrator.<br><br> Your support ID is: $asm_support_id1<br><br><a href='javascript:history.back();'>Go Back</a><br><br> Your URL is: $requri <br><br> Your client IP is: $client_ip1   </body></html>" log local0. "req block1" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response1 HTTP::header replace Content-Length [ASM::payload length] } when ASM_REQUEST_DONE { log local0. "hello world2" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id2 [ASM::support_id] if {[info exists $asm_support_id2]} { HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip2 [IP::client_addr] set response2 "<html><head><title>Request Rejected</title></head><body> The requested URL was rejected. Please consult with your administrator.<br><br> Your support ID is: $asm_support_id2<br><br><a href='javascript:history.back();'>Go Back</a><br><br> Your URL is: $requri <br><br> Your client IP is: $client_ip2   </body></html>" } } when ASM_REQUEST_BLOCKING { log local0. "req block2" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response2 HTTP::header replace Content-Length [ASM::payload length] }

 

 

This is iRule I took to the next level with ifile and custom html/javascript code

#Created by: AbedB 04-11-2020 #Do not edit this iRule without AbedB permission when HTTP_REQUEST { set requri "https://[HTTP::host][HTTP::uri]" } when ASM_RESPONSE_VIOLATION { log local0. "hello world1" #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id1 [ASM::support_id] HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip1 [IP::client_addr] set response1 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage1.html"]]" log local0. "req block1 and supportis is: $asm_support_id1" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response1 HTTP::header replace Content-Length [ASM::payload length] } when ASM_REQUEST_DONE { log local0. "hello world2"   #log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]" set asm_support_id2 [ASM::support_id] if {[info exists $asm_support_id2]} { HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip2 [IP::client_addr] set response2 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage2.html"]]" } } when ASM_REQUEST_BLOCKING { log local0. "req block2" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response2 HTTP::header replace Content-Length [ASM::payload length] }