davidfisher
Feb 24, 2022Cirrus
Some help with irule to unblock ASM for URIs and matching signature
Hello Team F5!
I wish to create irules to disable based on 3 matching conditions:
- client IP - x.x.x.x.
- URIs and paths:
/apis - for all URIs starting with /apis
/example/proxy.aspx – Exact path match till the end
/examplepath/version – Exact path match till the end
And to bypass ASM signature 200000152
We are thinking of using all these at once.
Right now we have something like this:
Rule-1
-------
when ASM_REQUEST_DONE {
if {[IP::addr [IP::client_addr] equals x.x.x.x] and [string tolower [HTTP::uri]] starts_with "/apis" and [ASM::violation details] contains "200000152"}
{
ASM::unblock
log local0. "ASM unblocking [HTTP::uri] and Source IP.x.x.x.x"
}
}
Rule-2
-------
when ASM_REQUEST_DONE {
if {[IP::addr [IP::client_addr] equals x.x.x.x] and [string tolower [HTTP::uri]] equals "/example/proxy.aspx" and [ASM::violation details] contains "200000152"}
{
ASM::unblock
log local0. "ASM unblocking [HTTP::uri] and Source IP.x.x.x.x"
}
}
Rule-3
-------
when ASM_REQUEST_DONE {
if {[IP::addr [IP::client_addr] equals x.x.x.x] and [string tolower [HTTP::uri]] equals "/examplepath/version" and [ASM::violation details] contains "200000152"}
{
ASM::unblock
log local0. "ASM unblocking [HTTP::uri] and Source IP.x.x.x.x"
}
}