Forum Discussion

8 Replies

  • Here is an example unblocking login.php for the violation that you need to modify. please do use logging to find your correct violation name.

     

    Requires 11.5.1.

    when ASM_REQUEST_DONE { set x [ASM::violation_data] set uri [HTTP::uri]

     

    log local0. "->Event-Tracer $uri [ASM::violation count] [IP::client_addr]:[TCP::remote_port] $x"

     

    if { $uri equals "/login.php" && [ASM::violation count] < 2 } { log local0. "Violation: [ASM::violation attack_types]" if { [class match [ASM::violation attack_types] equals Disabled_Sig] } { ASM::unblock } } else { More than one violation, too dangerous to Unblock return } }

     

  • Hello Armud, Do we have to mention the name of the attack for ex-"SQL injection" in place of attack_types

     

  • no, attack_types option give you the types of attack matched by your request. You need to replace Disabled_sig by the attack type you want to unblock. if you test it the log included in the code will give you attack type matched.

     

    if attack type is not precise enough for you use case you could replace option attack_types by names.

     

    here are som einfo form irule wiki :

     

    https://devcentral.f5.com/wiki/iRules.ASM__violation.ashx

     

  • Hello Amuad i tried the above url but its saying some syntax problem.... can you help in creating the irule for blocking sql injection for url "http://myprofile.com/myblock"

     

  • Hi Vivek, you mean unblock ?

    Sorry about that my response was not quiet so clear. here is the correct irule if you want to unblock SQL injection on you page, try to respect line feed (not easy with copy and past) and you need to activate in the ASM policy, advance menu, the option called "Trigger ASM iRule Events" otherwise the event ASM_REQUEST_DONE will never match.

    To be clear this irule is unbloking ASM when SQL Injection is detected (and only this violation that is why you have a <2) on your uri /myblock.

    when ASM_REQUEST_DONE {
    
    if { [HTTP::uri] equals "/myblock" && [ASM::violation count] < 2 } { 
        if { [ASM::violation attack_types] equals "ATTACK_TYPE_SQL_INJECTION"} { 
            ASM::unblock 
        } 
    } else { 
         More than one violation, too dangerous to Unblock return 
    
    } 
    }
    
  • Thanks Amuad for the help....is there any irule for same case that will work on v11.3