Forum Discussion

Jaime_S_Beckman's avatar
Jaime_S_Beckman
Icon for Nimbostratus rankNimbostratus
Feb 16, 2017

TCL error on an iRule used for ASM managment

We have an iRule that is used to conditionally unblock triggered attack signatures on ASM policies for specific requests. Largely, this iRule works great. For some applications, however, it presents the following error message in the LTM Logs:

 

TCL error: /Common/irl_asm_svc_unblock - Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::uri"

 

We have had to temporarily remove this iRule from the vIPs AND disable the problematic Attack Signatures in the ASM in order to allow a customer application to function properly. This has pulled the teeth, so to speak, on our security policy.

 

We are on f5 Version 12.1.1 Build 2.0.204 Hotfix HF2. The iRule syntax is below:

 

when ASM_REQUEST_DONE {

 

set svcuri [ string tolower [HTTP::uri] ]

 

if { [ class match $svcuri starts_with dg_asm_svc_urilist ] and [ class match [ASM::violation details] contains dg_asm_svc_violationlist ] } { ASM::unblock } }

 

Any thoughts or suggestions would be greatly appreciated. Thank you!

 

iRules
LTM
security

3 Replies

Sort By
  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Feb 16, 2017

    The context is probably wrong. Try using set svcuri 

    [string tolower[HTTP::uri]]
    under HTTP_REQUEST

  • Jaime_S_Beckman's avatar
    Jaime_S_Beckman
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2017

    Turns out that while the f5 documentation says that HTTP::uri can be called from the context of ASM_REQUEST_DONE, it acutally can NOT. This was fixed by changing the syntax slightly to what is shown below and puts the the iRule in the context of the HTTP_REQUEST.

     

    when HTTP_REQUEST { set dnnuri [string tolower [HTTP::uri]] } when ASM_REQUEST_DONE {

     

    if { [ class match $dnnuri starts_with dg_asm_dnn_urilist ] and [ class match [ASM::violation details] contains dg_asm_dnn_violationlist ] } { ASM::unblock } }

     

  • CharlesCS's avatar
    CharlesCS
    Icon for Cirrus rankCirrus
    Mar 06, 2017

    There is a known restriction, which F5 tracked internally as ID 429063, whereby iRule data objects like HTTP::method, HTTP::uri, etc. that are normally available in the clientside context -- and accessible in the ASM_REQUEST_DONE event handler -- are not accessible when there is a "100 Continue" response before the client sends the request body.

     

    After the 100-continue, ASM will have released the original request headers, URI, etc. and can no longer access them by the time the remainder of the request has been received and analyzed.