Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

irule creation based on Host Address contains IP Address

Lead
Nimbostratus
Nimbostratus

‎12-Jan-2023 23:23

help in creating irule for disabling ASM policy when traffic from certain Source IP address and violation triggered as Host header contains IP address

Labels:
0 Kudos
9 REPLIES 9

Mohamed_Ahmed_Kansoh
MVP
MVP

‎13-Jan-2023 01:20

Hi @Lead ,

Do you want to allow users to access your web service directly from ip without DNS resolution or what ?? 

Or 

Do you want to disable ASM policy from inspecting certain source ip address ? 

Could you please clarify more ?

_______________________
Regards
Mohamed Kansoh
0 Kudos

CA_Valli
MVP
MVP

‎13-Jan-2023 01:27

Assuming that HTTP::host will always match VS IP:

when HTTP_REQUEST {
  if {[HTTP::host] eq [IP::local_addr] }{ ASM::disable }
}
0 Kudos

Lead
Nimbostratus
Nimbostratus
In response to CA_Valli

‎13-Jan-2023 01:36

Hi,

Additionaly we want 1 more condition if request blocked under ASM violation (Host header contain IP address)

then only it gets allowed and for other violation it should gets blocked only.

 

Thanks,

Amit

0 Kudos

CA_Valli
MVP
MVP
In response to Lead

‎13-Jan-2023 09:00 - edited ‎16-Jan-2023 01:16

 

Hello, I've been messing with lab a little and I've seen that this violation triggers "HTTP protocol compliance failed" violation with "HTTP parser attack" (I'm running v13.x) 

So, according to https://clouddocs.f5.com/api/irules/ASM__violation_data.html  we should be able to intercept this running the following:

 

when HTTP_REQUEST {
  set bypass 0
  if {[IP::client_addr] eq "10.0.0.1" && [HTTP::host] eq [IP::local_addr]}{ set bypass 1 }
}
when ASM_REQUEST_DONE {
  if {$bypass}{
     if {[ASM::violation names] eq "VIOLATION_HTTP_SANITY_CHECK_FAILED" && [ASM::violation attack_types] eq "ATTACK_TYPE_HTTP_PARSER_ATTACK" }{ ASM::unblock }
  }
}

 

 

I've tested this but had no success, as ASM_REQUEST_DONE seems to never fire in my lab amongst with all ASM_* events for some reason .. I'll look into that when I have some more free time next week.

 

0 Kudos

Lead
Nimbostratus
Nimbostratus

‎13-Jan-2023 01:31

Hi,

If request come from specific IP instead of getting it blocked under ASM violation as (Host Header contains IP address)  we want request to be allowed with the help of irule. 

Thanks,

Lead

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Lead

‎13-Jan-2023 01:36

Yes @Lead , 

The irule of @CA_Valli will solve this requirement. 

 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Lead
Nimbostratus
Nimbostratus
In response to Mohamed_Ahmed_Kansoh

‎13-Jan-2023 01:40

Yes it will work, but it will allowed all the traffic

 

Thanks,

Amit

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Lead

‎13-Jan-2023 07:11

Okay @Lead  , 

In this case I think you should dis-check the block box of " host header contains ip addres " from learning and blocking settings under ( http compliance ) section. 

You will allow anyone  to browse your application by ip directly. 

I don't know if your request is doable by iRules or not as you need to allow specific violation under specific source ip.

_______________________
Regards
Mohamed Kansoh
0 Kudos

Paulius
MVP
MVP
In response to Lead

‎13-Jan-2023 07:39

@Lead Because you want to first match a function of the ASM policy and then disable the ASM policy I do not believe this is possible because it's an all or nothing from what I can tell in process order.

0 Kudos
Copyright © 2023 Khoros, LLC