ASM_REQUEST_BLOCKING not being triggered in iRule

Abed_AL-R · ‎03-Oct-2020

Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ?

The "Trigger ASM iRule Events Mode" is set to normal in ASM policy

Running v15.1.0.5

New setup, never tried this before ..

Thanks

boneyard · ‎26-Oct-2020

I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

this iRule both logs the violation and allows me to rewrite the block page.

when ASM_RESPONSE_VIOLATION {
 
  log local0. "response violation"
 
  set x [ASM::violation_data]
 
  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }
 
   }}
   
  ASM::payload replace 0 [ASM::payload length] ""
  ASM::payload replace 0 0 "12345607890"
  HTTP::header replace Content-Length [ASM::payload length]
  
}

logs

Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

View solution in original post

boneyard · ‎04-Oct-2020

to be sure you are creating violations right?

different types?

Abed_AL-R · ‎04-Oct-2020

Yes

I mean I do get the access rejected page, but I get the default page, and I need to customize it.

like described here: https://support.f5.com/csp/article/K22017023

boneyard · ‎04-Oct-2020

and you have the irule associated with the virtual server that also has the ASM profile with the "Trigger ASM iRule Events Mode" enabled?

can you add some log statements to your iRule events to see if they get triggered at all?

does the ltm log show something related at the moment?

Abed_AL-R · ‎04-Oct-2020

Yes It is the same VS.

And yes I tried to add log.local to the iRule but nothing detected at the section of "ASM_REQUEST_BLOCKING"..

Abed_AL-R · ‎09-Oct-2020

Does anyone has any idea on how to solve this?

boneyard · ‎10-Oct-2020

only thing i saw in previous questions is that it didn't trigger for all types of violations, the example there was data guard which didnt trigger it. you might try a couple of different violation types to rule that out.

but if that is ok and if you got a the configuration setup correctly (which you seem to have) and it still doesnt work then it could be a bug, best to have F5 support have a look at your configuration and determine if it is a bug.

Abed_AL-R · ‎10-Oct-2020

The thing with F5 technical support is tey do not support iRules.

Only in rare cases. or if you have some sort of support level contract ....

boneyard · ‎10-Oct-2020

they don't support full debugging / writing of iRules, but they will in my experience assist in something like this or if something clearly fails. specially when you are just following F5 articles and do something relatively simple as this. i would certainly try them.

crodriguez · ‎11-Oct-2020

Have you tried using ASM_REQUEST_DONE instead of ASM_REQUEST_VIOLATION? ASM_REQUEST_VIOLATION was deprecated in v11.5 and replaced with ASM_REQUEST_DONE.

Abed_AL-R · ‎11-Oct-2020

If I do that then my website will not be reached and I'll get this browser error message:

This page isn’t working
my.domain.com didn’t send any data.
ERR_EMPTY_RESPONSE

I see the iRule triggered but with errors in /var/log/ltm :

Oct 12 07:30:07 My-F5 info tmm5[14584]: Rule /Common/ASM_custom_block_page_v3 <ASM_REQUEST_DONE>: hello world
Oct 12 07:30:08 My-F5 err tmm5[14584]: 011f0016:3: http_process_state_prepend - Invalid action:0x10a010 Server sends too much data. serverside (172.26.137.34:443 -> 172.26.137.46:6759) clientside (1.2.3.4:62170 -> 172.26.137.41:443) (Server side: vip=/Common/myserver_test profile=http pool=/Common/srv-myserver server_ip=172.26.137.34)

boneyard · ‎19-Oct-2020

how is your full iRule looking now?

if you only test with the example from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html

what happens?

Abed_AL-R · ‎19-Oct-2020

This is my current iRule

when HTTP_REQUEST {
   set requri "https://[HTTP::host][HTTP::uri]"
}
when ASM_REQUEST_DONE {
log local0. "hello world"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
     set asm_support_id [ASM::support_id]
     HTTP::header remove Content-Length
     HTTP::header insert header_1 value_1
     set client_ip [IP::client_addr]
     set response "<html>
                        <head>
                           <title>Request Rejected</title>
                        </head>
                        <body>
                            The requested URL was rejected. Please consult with your administrator.<br><br>
                            Your support ID is: $asm_support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
                            Your URL is: $requri
                            Your client IP is: $client_ip
 
                        </body>
                    </html>"
     ASM::payload replace 0 [ASM::payload length] ""
     ASM::payload replace 0 0 $response
 
}

boneyard · ‎22-Oct-2020

so that was an interesting one, took me a few tries to get something working.

the cloud docs suggest that ASM::payload works in most of the ASM events, but for me it only seems to work in ASM_REQUEST_BLOCKING, well certainly the replace only works there.

there is also a known issue which shouldn't be an issue for 14.1 but is for me: https://support.f5.com/csp/article/K13696

so if you set the irule events mode to normal then you use ASM_REQUEST_DONE (instead of the two other ones) but can only check for what happened.

the replacing still has to happen in ASM_REQUEST_BLOCKING.

can you try something like this and show the ltm log output?

when ASM_REQUEST_DONE {
 
  log local0. "req done"
  
  set x [ASM::violation_data]
 
  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }
 
   }}
 
}
 
when ASM_REQUEST_BLOCKING {
 
  log local0. "req block"
  
  ASM::payload replace 0 [ASM::payload length] ""
  ASM::payload replace 0 0 "abcdefghi"
  HTTP::header replace Content-Length [ASM::payload length]
 
}

this is 14.1.2.3 (lab) btw, so things might have changed in 15.1 although i can't find details on that.

Abed_AL-R · ‎25-Oct-2020

Hi

I launched this iRule and tried to create violation, the ASM blocked me , but the ltm log doesn't show anything related to "req block" log. Here is the output:

Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563438358212
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563489517902
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
Oct 26 08:04:49 My-F5 info tmm7[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear

boneyard · ‎25-Oct-2020

because you didnt trigger a violation according to the output. violation is empty and it shouldn't be

yours:

Oct 26 08:04:49 My-F5 info tmm2[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=

test from me:

Oct 22 13:40:01 bigip-01 info tmm2[20840]: Rule /Common/irule-asm_blockpage <ASM_REQUEST_DONE>: violation=VIOLATION_REQ_LEN,VIOLATION_OBJ_LEN,VIOLATION_OBJ_TYPE

there is no violation information at yours and there should be.

so you have to check if everything is setup correctly, perhaps multiple ASM policies and not having the right one here or ... it is difficult to determine what it could be from a distance.

reaching out to f5 support would be a good idea if you don't see an issue, it might be a bug. im running 14.1 and don't have 15.1 quickly available.

Abed_AL-R · ‎25-Oct-2020

But I did trigger a violation

I received also a support id and ASM blocked my request

I will try to reach out the support soon

Thanks 🙂

boneyard · ‎26-Oct-2020

can you lookup that support id and share the output (redacted where needed)?

Abed_AL-R · ‎26-Oct-2020

Sure

Attached

boneyard · ‎26-Oct-2020

ah interesting, a redirect violation, that might be a reason, as it is in the response.

can you try with another kind of violation?

boneyard · ‎26-Oct-2020

I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

this iRule both logs the violation and allows me to rewrite the block page.

when ASM_RESPONSE_VIOLATION {
 
  log local0. "response violation"
 
  set x [ASM::violation_data]
 
  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }
 
   }}
   
  ASM::payload replace 0 [ASM::payload length] ""
  ASM::payload replace 0 0 "12345607890"
  HTTP::header replace Content-Length [ASM::payload length]
  
}

logs

Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

Abed_AL-R · ‎28-Oct-2020

Hi

I tried different violation (illegal file type) and now i can see the req block

Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816978112
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Informational
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=
Oct 28 16:15:45 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=clear
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: req done
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: violation=VIOLATION_OBJ_TYPE
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: support_id=9864890563816985952
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: web_application=/Common/MyServer
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: severity=Critical
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: source_ip=1.2.3.4
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: attack_type=ATTACK_TYPE_FORCEFUL_BROWSING
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_DONE>: request_status=blocked
Oct 28 16:15:50 My-F5 info tmm1[14584]: Rule /Common/devcentral_irule <ASM_REQUEST_BLOCKING>: req block

Abed_AL-R · ‎04-Nov-2020

Thank you boneyard

This iRule working fine

I just had to add "if support id exist" condition in "ASM_REQUEST_DONE" section

when HTTP_REQUEST {
   set requri "https://[HTTP::host][HTTP::uri]"
}
when ASM_RESPONSE_VIOLATION {
log local0. "hello world1"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
     set asm_support_id1 [ASM::support_id]
     HTTP::header remove Content-Length
     HTTP::header insert header_1 value_1
     set client_ip1 [IP::client_addr]
     set response1 "<html><head><title>Request Rejected</title></head><body>
                            The requested URL was rejected. Please consult with your administrator.<br><br>
                            Your support ID is: $asm_support_id1<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
                            Your URL is: $requri <br><br>
                            Your client IP is: $client_ip1 
 
                        </body></html>"
                    
    log local0. "req block1"
    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response1
    HTTP::header replace Content-Length [ASM::payload length]
}
when ASM_REQUEST_DONE {
log local0. "hello world2"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
     set asm_support_id2 [ASM::support_id]
	 if {[info exists $asm_support_id2]} {
     HTTP::header remove Content-Length
     HTTP::header insert header_1 value_1
     set client_ip2 [IP::client_addr]
     set response2 "<html><head><title>Request Rejected</title></head><body>
                            The requested URL was rejected. Please consult with your administrator.<br><br>
                            Your support ID is: $asm_support_id2<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
                            Your URL is: $requri <br><br>
                            Your client IP is: $client_ip2 
 
                        </body></html>"
}
}
when ASM_REQUEST_BLOCKING {
 
  log local0. "req block2"
  
    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response2
    HTTP::header replace Content-Length [ASM::payload length]
 
}

This is iRule I took to the next level with ifile and custom html/javascript code

#Created by: AbedB 04-11-2020
#Do not edit this iRule without AbedB permission
when HTTP_REQUEST {
   set requri "https://[HTTP::host][HTTP::uri]"
}
when ASM_RESPONSE_VIOLATION {
log local0. "hello world1"
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
     set asm_support_id1 [ASM::support_id]
     HTTP::header remove Content-Length
     HTTP::header insert header_1 value_1
     set client_ip1 [IP::client_addr]
     set response1 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage1.html"]]"
                    
    log local0. "req block1 and supportis is: $asm_support_id1"
    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response1
    HTTP::header replace Content-Length [ASM::payload length]
}
when ASM_REQUEST_DONE {
log local0. "hello world2"
 
#log local0. "Request from [IP::client_addr] blocked: [HTTP::uri]"
     set asm_support_id2 [ASM::support_id]
         if {[info exists $asm_support_id2]} {
     HTTP::header remove Content-Length
     HTTP::header insert header_1 value_1
     set client_ip2 [IP::client_addr]
     set response2 "HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get "blockpage2.html"]]"
}
}
when ASM_REQUEST_BLOCKING {
 
  log local0. "req block2"
  
    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response2
    HTTP::header replace Content-Length [ASM::payload length]
 
}

DevCentral

ASM_REQUEST_BLOCKING not being triggered in iRule

Khoros Kudos Award 2022