I have pools of virtual servers and ASM policies associated with each. I have a wiki we use for documentation that is served by a virtual server that also serves other non-wiki sites. When a user is documenting scripts in wiki ASM blocks the post because the post contains "!/bin/bash or !/bin/perl" etc. I would like to create an iRule that would allow the post to go through but only for a specific site or at minimum be able to rewrite the data in the post to remove the "!/bin..."etc and replace it with different text. I do not want to create individual ASM profiles for all of my sites that I would need to allow this behavior. Is something like this possible?

Hi, You have 2 options : Create an iRule which deactivate ASM on specific URICreate an iRule to replace data inspected by your ASM Can you tell me what you want, I'll give you an example.

We have a wiki where a person is trying to document scripts used. They paste their script as input and ASM disallows it because it contains the sha-bang, i.e. !/bin/bash or !/bin/perl. I would like to allow the sha-bangs in instances like this.

Can you give us what is blocking your request in ASM? I think it's something in attack signature, but can you check it into your event logs ?

Allow blocked content for a specific uri

18 Replies

Thomas_Gobet_91
Cirrostratus
Dec 18, 2013
Hi,

You have 2 options :

Create an iRule which deactivate ASM on specific URI
Create an iRule to replace data inspected by your ASM

Can you tell me what you want, I'll give you an example.
- John_131301
  Nimbostratus
  Dec 30, 2013
  We have a wiki where a person is trying to document scripts used. They paste their script as input and ASM disallows it because it contains the sha-bang, i.e. !/bin/bash or !/bin/perl. I would like to allow the sha-bangs in instances like this.
Thomas_Gobet
Nimbostratus
Dec 18, 2013
Hi,

You have 2 options :

Create an iRule which deactivate ASM on specific URI
Create an iRule to replace data inspected by your ASM

Can you tell me what you want, I'll give you an example.
- John_131301
  Nimbostratus
  Dec 30, 2013
  We have a wiki where a person is trying to document scripts used. They paste their script as input and ASM disallows it because it contains the sha-bang, i.e. !/bin/bash or !/bin/perl. I would like to allow the sha-bangs in instances like this.
Thomas_Gobet
Nimbostratus
Dec 31, 2013
Can you give us what is blocking your request in ASM? I think it's something in attack signature, but can you check it into your event logs ?
- John_131301
  Nimbostratus
  Jan 02, 2014
  Yes, it is an attack signature. ASM blocks it because it thinks malicious code or script is trying to be submitted. It keys off the fact that the post contains !/bin/perl or !/bin/bash etc.
Thomas_Gobet_91
Cirrostratus
Dec 31, 2013
Can you give us what is blocking your request in ASM? I think it's something in attack signature, but can you check it into your event logs ?
- John_131301
  Nimbostratus
  Jan 02, 2014
  Yes, it is an attack signature. ASM blocks it because it thinks malicious code or script is trying to be submitted. It keys off the fact that the post contains !/bin/perl or !/bin/bash etc.
Kevin_Stewart
Employee
Dec 31, 2013
If you're running 11.4, you can also use a rewrite profile (and/or the POLICY command) to enable/disable ASM processing. Before that you'd use ASM::disable in the HTTP_CLASS_SELECTED event. But it's also equally as important to know that the request you're disabling ASM for is actually a legitimate user, and that depends on how you're doing authentication.
Thomas_Gobet
Nimbostratus
Jan 06, 2014
Don't worry, we're not talking about rewrite policy but rewrite profile.

Can you tell us which version you have on your BIG-IP, then we will choose the best thing for you ;)
- John_131301
  Nimbostratus
  Jan 06, 2014
  We are using 11.3.0 (Build 3131.0)
Thomas_Gobet_91
Cirrostratus
Jan 06, 2014
Don't worry, we're not talking about rewrite policy but rewrite profile.

Can you tell us which version you have on your BIG-IP, then we will choose the best thing for you ;)
- John_131301
  Nimbostratus
  Jan 06, 2014
  We are using 11.3.0 (Build 3131.0)
Kevin_Stewart
Employee
Jan 06, 2014
I actually am talking about an 11.4 "policy". I misspoke before when I mentioned a rewrite profile - a completely different thing. A policy can be used to enable/disable ASM (among many other things) based on some inline criteria. That said, a policy can only act on the request URI and headers, and not payload. So to do what you're asking, to disable ASM processing for specific content, you may necessarily have to use the ASM::disable command inside an iRule that inspects (at least the beginning) payload of each request.

Thomas_Gobet

Nimbostratus

Jan 06, 2014

With this irule you should have what you want :

when ASM_REQUEST_BLOCKING
{

  set x [ASM::violation_data]

   if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")}
   {
      if {[IP::client_addr] equals your_IP}{
        if {ASM::payload contains "your_expression"} {
              ASM::disable  
        }
      }
   }  
}

John_131301
Nimbostratus
Jan 14, 2014
Thanks. I will give this a try.

Thomas_Gobet_91

Cirrostratus

Jan 06, 2014

With this irule you should have what you want :

when ASM_REQUEST_BLOCKING
{

  set x [ASM::violation_data]

   if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")}
   {
      if {[IP::client_addr] equals your_IP}{
        if {ASM::payload contains "your_expression"} {
              ASM::disable  
        }
      }
   }  
}

John_131301
Nimbostratus
Jan 14, 2014
Thanks. I will give this a try.

Forum Discussion

Allow blocked content for a specific uri

18 Replies

Recent Discussions

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

Related Content

Layer 7 Content Routing in F5 XC

DevCentral Content Highlights

iRule to modify a content-security-policy header

Post of the Week: Blocking a Specific URI

Block traffic