12-Jan-2023 23:23
help in creating irule for disabling ASM policy when traffic from certain Source IP address and violation triggered as Host header contains IP address
13-Jan-2023 01:20
Hi @Lead ,
Do you want to allow users to access your web service directly from ip without DNS resolution or what ??
Or
Do you want to disable ASM policy from inspecting certain source ip address ?
Could you please clarify more ?
13-Jan-2023 01:36
Hi,
Additionaly we want 1 more condition if request blocked under ASM violation (Host header contain IP address)
then only it gets allowed and for other violation it should gets blocked only.
Thanks,
Amit
13-Jan-2023 09:00 - edited 16-Jan-2023 01:16
Hello, I've been messing with lab a little and I've seen that this violation triggers "HTTP protocol compliance failed" violation with "HTTP parser attack" (I'm running v13.x)
So, according to https://clouddocs.f5.com/api/irules/ASM__violation_data.html we should be able to intercept this running the following:
when HTTP_REQUEST {
set bypass 0
if {[IP::client_addr] eq "10.0.0.1" && [HTTP::host] eq [IP::local_addr]}{ set bypass 1 }
}
when ASM_REQUEST_DONE {
if {$bypass}{
if {[ASM::violation names] eq "VIOLATION_HTTP_SANITY_CHECK_FAILED" && [ASM::violation attack_types] eq "ATTACK_TYPE_HTTP_PARSER_ATTACK" }{ ASM::unblock }
}
}
I've tested this but had no success, as ASM_REQUEST_DONE seems to never fire in my lab amongst with all ASM_* events for some reason .. I'll look into that when I have some more free time next week.
13-Jan-2023 01:31
Hi,
If request come from specific IP instead of getting it blocked under ASM violation as (Host Header contains IP address) we want request to be allowed with the help of irule.
Thanks,
Lead
13-Jan-2023 01:36
13-Jan-2023 01:40
Yes it will work, but it will allowed all the traffic
Thanks,
Amit
13-Jan-2023 07:11
Okay @Lead ,
In this case I think you should dis-check the block box of " host header contains ip addres " from learning and blocking settings under ( http compliance ) section.
You will allow anyone to browse your application by ip directly.
I don't know if your request is doable by iRules or not as you need to allow specific violation under specific source ip.
13-Jan-2023 07:39
@Lead Because you want to first match a function of the ASM policy and then disable the ASM policy I do not believe this is possible because it's an all or nothing from what I can tell in process order.