Forum Discussion

ndel_119904's avatar
ndel_119904
Icon for Nimbostratus rankNimbostratus
Mar 08, 2013

iRule to bypass specific ASM blocking

Hey guys,

 

One of my servers is issuing a URL to an F5 virtual server, but ASM is blocking the request because it's seeing it as an "evasion technique." The URL does indeed have a '%' at the end of it, so I understand why it's being blocked.

 

 

Can an iRule bypass ASM Evasion Techniques if the request is coming from a specific IP?

 

 

I was looking at the iRule command 'ASM::violation_data,' but that doesn't look like it's intended to bypass attack methods, but rather only used to tell you if an attack method was triggered.

 

 

I know I can setup an iRule to disable ASM entirely if the request matches a particular source IP, and that'll be a last resort if there's no way to be granular about the request.

 

 

Thanks!

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2013
    So I think something like this would work

     

     

    when ASM_REQUEST_VIOLATION

     

    {

     

    set x [ASM::violation_data]

     

     

    for {set i 0} { $i < 7 } {incr i} {

     

    switch $i {

     

    0 { log local0. "violation=[lindex $x $i]" }

     

    1 { log local0. "support_id=[lindex $x $i]" }

     

    2 { log local0. "web_application=[lindex $x $i]" }

     

    3 { log local0. "severity=[lindex $x $i]" }

     

    4 { log local0. "source_ip=[lindex $x $i]" }

     

    5 { log local0. "attack_type=[lindex $x $i]" }

     

    6 { log local0. "request_status=[lindex $x $i]" }

     

     

    }}

     

     

    if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")

     

    and ([whereis [IP::client_addr]] equals "1.2.3.4")

     

    }

     

     

    pool pool1

     

     

    }

     

     

    However what Evasion Tech is this request falling under? Is it the Multiple Decodings violation, if so I see that a lot and I normally just change the level from 2 to 3 as I don't really see that as a significant increase in risk to the application. My understanding of ASM is that it will decode the request anyway to see if there is an attack hiding behind obsfucation.