Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Need help writing an irule to bypass ASM attack signature for specific json parameter

I have a problem with f5 WAF that protect my mobile application server. When I use upload image function on my mobile app, the image will be encoded to a very long string. Sometimes f5 blocks the request that contains some string match an attack signature. I think it's not a good practice to wait until user reports an error then I look for the error log and click learn to accept that false positive. 
I found "Check attack signatures" checkbox in f5 GUI to bypass attack signature for asm_json profile but this way will affect all json parameter. I need to bypass only request that related to an image. I think writing an irule may be able to help me but I don't know how to write it. Can someone guide me?

Example json parameter: {"req":{"app":"MyMobile","dom":"MyMobile","srv":"User","op":"saveUserImage","header":{*

Example request: {"req":{"app":"MyMobile","dom":"MyMobile","srv":"User","op":"saveUserImage","header":{"image":"\/9j\/4AAQSkZJRgABAQAASABIAAD\/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAB9KADAAQAAAABAAAB9AAAAAD\/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUAAAAAABDUHYzZjwCyBOmACZjs+EJ+\/8AAEQgB9AH0AwEiAAIRAQMRAf\/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC\/\/EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29\/j5+v\/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC\/\/EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29.....

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

you don't require an iRule for that, just exclude the parameter from signature checking

https://devcentral.f5.com/questions/can-i-disable-specific-attack-signature-on-particular-url

0
Comments on this Answer
Comment made 04-Jan-2015 by chaloempone 78
Thanks boneyard, I tried adding parameter which I want to exclude signature checking but I can't find the "Check attack signatures on this parameter" checkbox when I choose Parameter Value Type to "JSON value".
0
Comment made 05-Jan-2015 by nathan 7337
You will need to create a JSON profile and associate it with this parameter. You can then disable an attack signature here. Hope this helps. N
1
Comment made 07-Jan-2015 by chaloempone 78
Your solution works great!! I create 2 JSON profiles, one profile for normal traffic and second one for the parameter I want to bypass. Thanks a lot nathan.
0
Comment made 08-Jan-2015 by boneyard 5579
be sure to flag the questions as answered when it is.
0