SQL-Injection bypass and logging iRule

Hi jmgrange,

 

your irule respond perfectly to your needs. And I think it is written correctly.

 

If you need details or help to upgrade your irule with new needs keep me update

 

regards,

 

hello,

You will see trafic in /var/log/ltm

 when ASM_REQUEST_DONE {

if { [class match [HTTP::uri] equals "DataGroup1"] } { 
    if { [ASM::violation attack_types] equals "ATTACK_TYPE_SQL_INJECTION"} { 
        ASM::unblock
        log local0. "ASM_LOGS: SQL-Injection bypass for [HTTP::uri] from [IP::remote_addr]"
    } 
} else { 
   log local0. "ASM_LOGS: More than one type of violation, too dangerous to Unblock return"

} 
}

and of course there must be traffic and our condition has to be triggered.

First of try to trigg URI set in your Datagroup1 (and check logs) then try to lunch an sql injection from autorized URI (and check logs). more /var/log/ltm | grep "ASM_LOGS:"

If you have nothing in the ltm logs it's mean that your request was not unblock and that our irule don't trigged. That's mean that you will see the the request in the "ASM event logs". And if you have nothing in the asm that's mean that asm analyse your request not like an attack...

Last point: why you don't set this exception directly in ASM?

Regards