Forum Discussion

elox1992's avatar
elox1992
Icon for Nimbostratus rankNimbostratus
Sep 19, 2019

iRule asm:unblock on datagroup

Hello all,

i´m new to F5 and need some help. Customer wants to use "Request length exceeds defined buffer size" in blocking mode in the policy with some exceptions.

We want to do asm:unblock whenever its a specific URL or a IP from a datagroup. Therefore I created an iRule which seems to work for both conditions since I can see in the log it was triggered. However, customer reported it was working as expected on the URL but request was blocked when it matched the datagroup but log said asm:unblock was done.

IRule looks like that:

when ASM_REQUEST_DONE {

     if {[ASM::violation names] contains "VIOLATION_REQUEST_TOO_LONG" and [HTTP::uri] starts_with "/my/url" }

     {

        ASM::unblock

        log local0. "ASM unblocking [HTTP::uri] - reason Request too long"

     }

     elseif {[ASM::violation names] contains "VIOLATION_REQUEST_TOO_LONG" and [matchclass [IP::client_addr] equals MY_DATAGROUP_WITH_IP]}

     {

     ASM::unblock

     log local0. "ASM unblocking [HTTP::uri] - reason internal IP"

     }

}

Customer tested file upload on the URL trigger with a browser and it was working fine.

When customer tested the DATAGROUP trigger I saw unblock in the log but customer upload was blocked because of the vioaltion that should have been unblocked(request length exceed buffer size..). Upload was done with curl.

POST /myurl/Login HTTP/1.1

User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2

Host: xxx.com

Accept: */*

Content-Length: 40282368

Content-Type: application/x-www-form-urlencoded

Expect: 100-continue

X-Forwarded-For: 192.168.115.53

x-xxx-external: true

x-xxx-request: egHhAHCCsxUkGsFewlu4

x-xxx-continued: egHhAHCCsxUkGsFewlu4

The upload triggered the iRule twice within 7 seconds. Could it be possible that something just went wrong during the upload. Does the iRule look correct?

Thanks for your help.

Best regards

ASM Advanced WAF
iRules
security

3 Replies

Sort By
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 19, 2019

    Hi,

     

    I think that irule is correct. .

    But if you want that your irule match with ASM you have to appll a configuration .

     

    In your asm policy, you have to enable “Trigger ASM Irule Events” as display below in your ASM Policy:

     

     

    Keep me in touch.

     

    regards.

  • elox1992's avatar
    elox1992
    Icon for Nimbostratus rankNimbostratus
    Sep 19, 2019

    Hi youssef, thanks for your answer. Trigger ASM iRule event is enabled(normal mode). Otherwise the asm:unblock would not have worked on the URL if I´m not wrong. Strange thing is that iRule also matched on the datagroup as I could verify that in the logs but the unblock somehow did not work. I also checked if attack signatures or other violations have been triggered with the upload but only "VIOLATION_REQUEST_TOO_LONG" was triggered and log showed that asm:unblock was done. However, customer reported upload was blocked. If the iRule is correct my guess is that it that something went wrong on customer side since I saw two requests withing a few seconds from the customer who said he did only one upload. I will be able to test it again tomorrow and ask customer to do upload via a browser and not with curl.

    best regards

  • Abed_AL-R's avatar
    Abed_AL-R
    Icon for Cirrostratus rankCirrostratus
    Oct 03, 2020

    Hello guys

    I know it is not the same issue , but does anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ?

    The "Trigger ASM iRule Events Mode" is set to normal in ASM policy

    Running v15.1.0.5

    New setup, never tried this before ..

    Thanks