Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

iRule for ASM

Is there any iRule for allowing SQL injection and XML tagging in ASM for a specific url

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Vivek, you mean unblock ?

Sorry about that my response was not quiet so clear. here is the correct irule if you want to unblock SQL injection on you page, try to respect line feed (not easy with copy and past) and you need to activate in the ASM policy, advance menu, the option called "Trigger ASM iRule Events" otherwise the event ASM_REQUEST_DONE will never match.

To be clear this irule is unbloking ASM when SQL Injection is detected (and only this violation that is why you have a <2) on your uri /myblock.

when ASM_REQUEST_DONE {

if { [HTTP::uri] equals "/myblock" && [ASM::violation count] < 2 } { 
    if { [ASM::violation attack_types] equals "ATTACK_TYPE_SQL_INJECTION"} { 
        ASM::unblock 
    } 
} else { 
    # More than one violation, too dangerous to Unblock return 

} 
}
1
Comments on this Answer
Comment made 30-Aug-2017 by saidshow 333

Thanks Arnaud. I am using a modified version of your code to allow illegal file types when the uri starts_with "/&foo=". The extra restriction of the number of violations is awesome. Thanks again!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Here is an example unblocking login.php for the violation that you need to modify. please do use logging to find your correct violation name.

Requires 11.5.1.

when ASM_REQUEST_DONE { set x [ASM::violation_data] set uri [HTTP::uri]

#log local0. "->Event-Tracer $uri [ASM::violation count] [IP::client_addr]:[TCP::remote_port] $x"

if { $uri equals "/login.php" && [ASM::violation count] < 2 } { #log local0. "Violation: [ASM::violation attack_types]" if { [class match [ASM::violation attack_types] equals Disabled_Sig] } { ASM::unblock } } else { # More than one violation, too dangerous to Unblock return } }

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Armud, Do we have to mention the name of the attack for ex-"SQL injection" in place of attack_types

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

no, attack_types option give you the types of attack matched by your request. You need to replace Disabled_sig by the attack type you want to unblock. if you test it the log included in the code will give you attack type matched.

if attack type is not precise enough for you use case you could replace option attack_types by names.

here are som einfo form irule wiki :

https://devcentral.f5.com/wiki/iRules.ASM__violation.ashx

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello Amuad i tried the above url but its saying some syntax problem.... can you help in creating the irule for blocking sql injection for url "http://myprofile.com/myblock"

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Amuad for the help....is there any irule for same case that will work on v11.3

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

as ASM::unblock is only available in 11.5 i don't see how we can backport that.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thnks Arnuad for the help i will try this n get back to you.....

0