cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

IP Address Exception in ASM

nirsham_178691
Nimbostratus
Nimbostratus

Hi,

 

Is there a way to create an IP ADDRESS exception per ASM signature ?

 

The IP Address exceptions list is too general for all ASM protections . I need something more specific .

 

I know ASM is not an IPS device but it's the same and in all IPS devices you can do this kind of exception.

 

Regards,

 

Nir

 

6 REPLIES 6

Hannes_Rapp_162
Nacreous
Nacreous

As far as I'm aware, the closest option in GUI you have is creating an IP address exception (linked to a particular ASM policy). If you want something more granular (an exception, linked to a specific signature ID), it can be done using iRules only.

 

A single IP and signature:

 

when ASM_REQUEST_DONE { if { ([IP::client_addr] == "My-IP-Address") && ( [ASM::violation details] contains "My-Signature-ID") }{ ASM::unblock log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]" } }

Multiple IP addresses and multiple signatures:

 

when ASM_REQUEST_DONE { if { ( [class match[IP::client_addr] == "data-group-ip-address-list"] ) && ( [class match[ASM::violation details] contains "data-group-signature-ids"] ) }{ log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]" ASM::unblock } }

I agree with Hannes. This requires an iRule. There is no option in security policies to exempt an IP address from an individual attack signature.

Ok, thanks. I'll give it a go . Regards, Nir

Hannes_Rapp
Nimbostratus
Nimbostratus

As far as I'm aware, the closest option in GUI you have is creating an IP address exception (linked to a particular ASM policy). If you want something more granular (an exception, linked to a specific signature ID), it can be done using iRules only.

 

A single IP and signature:

 

when ASM_REQUEST_DONE { if { ([IP::client_addr] == "My-IP-Address") && ( [ASM::violation details] contains "My-Signature-ID") }{ ASM::unblock log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]" } }

Multiple IP addresses and multiple signatures:

 

when ASM_REQUEST_DONE { if { ( [class match[IP::client_addr] == "data-group-ip-address-list"] ) && ( [class match[ASM::violation details] contains "data-group-signature-ids"] ) }{ log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]" ASM::unblock } }

I agree with Hannes. This requires an iRule. There is no option in security policies to exempt an IP address from an individual attack signature.

Ok, thanks. I'll give it a go . Regards, Nir