Forum Discussion

nirsham_178691's avatar
nirsham_178691
Icon for Nimbostratus rankNimbostratus
Mar 31, 2015

IP Address Exception in ASM

Hi,

 

Is there a way to create an IP ADDRESS exception per ASM signature ?

 

The IP Address exceptions list is too general for all ASM protections . I need something more specific .

 

I know ASM is not an IPS device but it's the same and in all IPS devices you can do this kind of exception.

 

Regards,

 

Nir

 

6 Replies

  • As far as I'm aware, the closest option in GUI you have is creating an IP address exception (linked to a particular ASM policy). If you want something more granular (an exception, linked to a specific signature ID), it can be done using iRules only.

    A single IP and signature:

    when ASM_REQUEST_DONE {
    
      if { ([IP::client_addr] == "My-IP-Address") && ( [ASM::violation details] contains "My-Signature-ID") }{
        ASM::unblock
        log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
      }
    
    }
    

    Multiple IP addresses and multiple signatures:

    when ASM_REQUEST_DONE {
    
      if { ( [class match[IP::client_addr] == "data-group-ip-address-list"] ) && ( [class match[ASM::violation details] contains "data-group-signature-ids"] ) }{
        log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
        ASM::unblock
      }
    
    }
    
    • gsharri's avatar
      gsharri
      Icon for Altostratus rankAltostratus
      I agree with Hannes. This requires an iRule. There is no option in security policies to exempt an IP address from an individual attack signature.
  • As far as I'm aware, the closest option in GUI you have is creating an IP address exception (linked to a particular ASM policy). If you want something more granular (an exception, linked to a specific signature ID), it can be done using iRules only.

    A single IP and signature:

    when ASM_REQUEST_DONE {
    
      if { ([IP::client_addr] == "My-IP-Address") && ( [ASM::violation details] contains "My-Signature-ID") }{
        ASM::unblock
        log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
      }
    
    }
    

    Multiple IP addresses and multiple signatures:

    when ASM_REQUEST_DONE {
    
      if { ( [class match[IP::client_addr] == "data-group-ip-address-list"] ) && ( [class match[ASM::violation details] contains "data-group-signature-ids"] ) }{
        log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
        ASM::unblock
      }
    
    }
    
    • gsharri's avatar
      gsharri
      Icon for Altostratus rankAltostratus
      I agree with Hannes. This requires an iRule. There is no option in security policies to exempt an IP address from an individual attack signature.