Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Some help with irule to unblock ASM for URIs and matching signature

davidfisher
Cirrus
Cirrus

‎24-Feb-2022 09:09 - edited ‎24-Feb-2022 09:10

Hello Team F5!

I wish to create irules to disable based on 3 matching conditions:

- client IP - x.x.x.x.

- URIs and paths:

/apis - for all URIs starting with /apis

/example/proxy.aspx – Exact path match till the end

/examplepath/version – Exact path match till the end

  • And to bypass ASM signature 200000152

We are thinking of using all these at once.

Right now we have something like this:

 

Rule-1
-------

when ASM_REQUEST_DONE {
         if {[IP::addr [IP::client_addr] equals x.x.x.x] and [string tolower [HTTP::uri]] starts_with "/apis" and [ASM::violation details] contains "200000152"}
         {
                ASM::unblock
                log local0. "ASM unblocking [HTTP::uri] and Source IP.x.x.x.x"
         }
}

Rule-2
-------

when ASM_REQUEST_DONE {
         if {[IP::addr [IP::client_addr] equals x.x.x.x] and [string tolower [HTTP::uri]] equals "/example/proxy.aspx" and [ASM::violation details] contains "200000152"}
         {
                ASM::unblock
                log local0. "ASM unblocking [HTTP::uri] and Source IP.x.x.x.x"
         }
}

Rule-3
-------

when ASM_REQUEST_DONE {
         if {[IP::addr [IP::client_addr] equals x.x.x.x] and [string tolower [HTTP::uri]] equals "/examplepath/version" and [ASM::violation details] contains "200000152"}
         {
                ASM::unblock
                log local0. "ASM unblocking [HTTP::uri] and Source IP.x.x.x.x"
         }
}

 

 

 

 

 

 

 

Labels:
0 Kudos
1 REPLY 1

Ismael_Goncalves
F5 Employee
F5 Employee

‎25-Feb-2022 17:21

@davidfisher , your iRule logic seem to be fine, however, could you clarify more the reason why you want this? Is this due a false positive? I've seen similar scenarios where a parameter contained an XML data such as param=<?xml version="1.0"?>... causing some false positive. In that case, you could create a parameter of XML Value instead of 'User input' value. Also, if you don't care much about the source IP, you can disable the signatures at the URL level but then you disable for everybody. This would depend if it is satisfy your security requirements. 

0 Kudos
Copyright © 2023 Khoros, LLC