Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

irule creation based on Host Address contains IP Address

Lead
Nimbostratus
Nimbostratus

help in creating irule for disabling ASM policy when traffic from certain Source IP address and violation triggered as Host header contains IP address

9 REPLIES 9

Hi @Lead ,

Do you want to allow users to access your web service directly from ip without DNS resolution or what ?? 

Or 

Do you want to disable ASM policy from inspecting certain source ip address ? 

Could you please clarify more ?

_______________________
Regards
Mohamed Kansoh

CA_Valli
MVP
MVP

Assuming that HTTP::host will always match VS IP:

when HTTP_REQUEST {
  if {[HTTP::host] eq [IP::local_addr] }{ ASM::disable }
}

Hi,

Additionaly we want 1 more condition if request blocked under ASM violation (Host header contain IP address)

then only it gets allowed and for other violation it should gets blocked only.

 

Thanks,

Amit

 

Hello, I've been messing with lab a little and I've seen that this violation triggers "HTTP protocol compliance failed" violation with "HTTP parser attack" (I'm running v13.x) 

So, according to https://clouddocs.f5.com/api/irules/ASM__violation_data.html  we should be able to intercept this running the following:

 

when HTTP_REQUEST {
  set bypass 0
  if {[IP::client_addr] eq "10.0.0.1" && [HTTP::host] eq [IP::local_addr]}{ set bypass 1 }
}
when ASM_REQUEST_DONE {
  if {$bypass}{
     if {[ASM::violation names] eq "VIOLATION_HTTP_SANITY_CHECK_FAILED" && [ASM::violation attack_types] eq "ATTACK_TYPE_HTTP_PARSER_ATTACK" }{ ASM::unblock }
  }
}

 

 

I've tested this but had no success, as ASM_REQUEST_DONE seems to never fire in my lab amongst with all ASM_* events for some reason .. I'll look into that when I have some more free time next week.

 

Lead
Nimbostratus
Nimbostratus

Hi,

If request come from specific IP instead of getting it blocked under ASM violation as (Host Header contains IP address)  we want request to be allowed with the help of irule. 

Thanks,

Lead

Yes @Lead , 

The irule of @CA_Valli will solve this requirement. 

 

_______________________
Regards
Mohamed Kansoh

Yes it will work, but it will allowed all the traffic

 

Thanks,

Amit

Okay @Lead  , 

In this case I think you should dis-check the block box of " host header contains ip addres " from learning and blocking settings under ( http compliance ) section. 

You will allow anyone  to browse your application by ip directly. 

I don't know if your request is doable by iRules or not as you need to allow specific violation under specific source ip.

_______________________
Regards
Mohamed Kansoh

@Lead Because you want to first match a function of the ASM policy and then disable the ASM policy I do not believe this is possible because it's an all or nothing from what I can tell in process order.