Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

ASM::unblock not working for specific violation

F5Audiolomb
Altostratus
Altostratus

‎27-Oct-2023 10:05

Hello there,
I set an iRule for ASM that should unblock a specific violation:

 

when ASM_REQUEST_DONE {
    set asm_support_id [ASM::support_id]
    if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then {
        ASM::unblock
    }
}

 

This rule is not triggered for that specific violation. What am I missing?
I would also like to point out that if I remove the second part of the IF and leave just the uri match, the rule triggers just fine.

I am 100% sure the violation I am targeting is correct.

Any clues on what is wrong with it?

Thank you!

Labels:
6 REPLIES 6

Juergen_Mang
MVP
MVP

‎27-Oct-2023 12:56

Add logging and check it.

log local0. [ASM::violation names]

Nikoolayy1
MVP
MVP
In response to Juergen_Mang

‎28-Oct-2023 02:41

You are right as there are subviolations so the real name could be different. Still can't renember where I saw the real name with  ASM::violation details or ASM::violation_data or the command you shared.

0 Kudos

Amine_Kadimi
MVP
MVP

‎27-Oct-2023 14:25

Have you set the variable $uri value before checking its content?

set uri [string tolower [HTTP::uri]]

 As @Juergen_Mang mentioned, logging both [HTTP::uri] and [ASM::violation names] can help a lot

0 Kudos

F5Audiolomb
Altostratus
Altostratus
In response to Amine_Kadimi

‎28-Oct-2023 09:15 - edited ‎28-Oct-2023 09:16

Yes I did.

I just pasted the snippet I am interested in. Please assume that the rest is in place.

Thank you for helping with this!

0 Kudos

T-Trust
MVP
MVP

‎30-Oct-2023 06:42

please log below for confirm

when ASM_REQUEST_DONE {

log local0. "HTTP URI: $uri VIOLATION: [ASM::violation names]"
set asm_support_id [ASM::support_id]
if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then {
ASM::unblock
}
}

F5Audiolomb
Altostratus
Altostratus

‎01-Nov-2023 07:18 - edited ‎01-Nov-2023 07:20

Well... thank you all for your inputs. I logged the violation, and it turns out the violation name is "VIOLATION_CHAR_CONV".

Where is that name coming from, I wonder? If I go to options->application security->advanced configuration->violation list, the violation name I see is the one I specified in my code above.

So, at this point I am completely confused. The violation names in the GUI all start with VIOL_, while the violation names logged via the irule start with VIOLATION_, hence why my irule was not working.

Why this discrepancy? All this does not make any sense to me.
If the violation names in the GUI don't match with what I need to use in the iRules, how the heck am I supposed to find what names to use?
BTW, I am on version 15.1.10.2.

0 Kudos
Copyright © 2023 Khoros, LLC