Forum Discussion
youssef1
May 04, 2018Cumulonimbus
hello,
You will see trafic in /var/log/ltm
when ASM_REQUEST_DONE {
if { [class match [HTTP::uri] equals "DataGroup1"] } {
if { [ASM::violation attack_types] equals "ATTACK_TYPE_SQL_INJECTION"} {
ASM::unblock
log local0. "ASM_LOGS: SQL-Injection bypass for [HTTP::uri] from [IP::remote_addr]"
}
} else {
log local0. "ASM_LOGS: More than one type of violation, too dangerous to Unblock return"
}
}
and of course there must be traffic and our condition has to be triggered.
First of try to trigg URI set in your Datagroup1 (and check logs) then try to lunch an sql injection from autorized URI (and check logs). more /var/log/ltm | grep "ASM_LOGS:"
If you have nothing in the ltm logs it's mean that your request was not unblock and that our irule don't trigged. That's mean that you will see the the request in the "ASM event logs". And if you have nothing in the asm that's mean that asm analyse your request not like an attack...
Last point: why you don't set this exception directly in ASM?
Regards