Forum Discussion

Nimbostratus

May 02, 2018

SQL-Injection bypass and logging iRule

I am working on an iRule that will unblock traffic going to URLs in a Data Group and log when it does so. This is what I have and want to have it reviewed to make sure it is written correctly. ...

Cumulonimbus

May 04, 2018

hello,

You will see trafic in /var/log/ltm

 when ASM_REQUEST_DONE {

if { [class match [HTTP::uri] equals "DataGroup1"] } { 
    if { [ASM::violation attack_types] equals "ATTACK_TYPE_SQL_INJECTION"} { 
        ASM::unblock
        log local0. "ASM_LOGS: SQL-Injection bypass for [HTTP::uri] from [IP::remote_addr]"
    } 
} else { 
   log local0. "ASM_LOGS: More than one type of violation, too dangerous to Unblock return"

} 
}

and of course there must be traffic and our condition has to be triggered.

First of try to trigg URI set in your Datagroup1 (and check logs) then try to lunch an sql injection from autorized URI (and check logs). more /var/log/ltm | grep "ASM_LOGS:"

If you have nothing in the ltm logs it's mean that your request was not unblock and that our irule don't trigged. That's mean that you will see the the request in the "ASM event logs". And if you have nothing in the asm that's mean that asm analyse your request not like an attack...

Last point: why you don't set this exception directly in ASM?

Regards

Forum Discussion

SQL-Injection bypass and logging iRule

Recent Discussions

how can I find the software version is 32 bit or 64 bit from LTM 15.1.10.4

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Joomla! SQL Injection Vulnerability

Is F5 WAF support JSON syntax in their SQL injection inspection process.

SQL injection – past, present and future

Bypass certificate check