NimbostratusNeed help writing an irule to bypass ASM attack signature for specific json parameter
I have a problem with f5 WAF that protect my mobile application server. When I use upload image function on my mobile app, the image will be encoded to a very long string. Sometimes f5 blocks the request that contains some string match an attack signature. I think it's not a good practice to wait until user reports an error then I look for the error log and click learn to accept that false positive.
I found "Check attack signatures" checkbox in f5 GUI to bypass attack signature for asm_json profile but this way will affect all json parameter. I need to bypass only request that related to an image. I think writing an irule may be able to help me but I don't know how to write it. Can someone guide me?
Example json parameter: {"req":{"app":"MyMobile","dom":"MyMobile","srv":"User","op":"saveUserImage","header":{*
Example request: {"req":{"app":"MyMobile","dom":"MyMobile","srv":"User","op":"saveUserImage","header":{"image":"\/9j\/4AAQSkZJRgABAQAASABIAAD\/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAB9KADAAQAAAABAAAB9AAAAAD\/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUAAAAAABDUHYzZjwCyBOmACZjs+EJ+\/8AAEQgB9AH0AwEiAAIRAQMRAf\/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC\/\/EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29\/j5+v\/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC\/\/EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29.....
