How could I exclude Vulnerability scanners from Session Tracking?

Question

I have enabled session tracking on an application and it has quickly blocked my vulnerability scanner.  Of course this is "scan interference" and makes the results invalid.
The options on the IP Address Exceptions page allow me to "Never Block" the IP , but then I get false results and ASM is not providing any protection.
Because I've seen that when blocked by Session Tracking the other violations were still recorded in the logs I thought this may work as an iRule
when ASM_REQUEST_DONE {
    if {  ([ASM::violation count] equals 1) &amp;&amp; ([ASM::violation names] eq "VIOL_SESSION_AWARENESS") &amp;&amp; ([IP::addr [IP::client_addr] equals n.n.n.n]) } {
        ASM::unblock
        }
    }

But it didn't, the connections were still blocked when the session tracking count was reached. 
Can anyone suggest something to try next?

uknoodler_23999 · Accepted Answer

Is it bad form to answer my own question?
Anyhow, using logging I discovered that the violation name wasn't matching correctly.  Here is a rule that I've now deployed and tested.

when ASM_REQUEST_DONE {
  if {([ASM::violation names] contains "SESSION_AWARENESS" &amp;&amp; [ASM::violation count] &lt; 2 &amp;&amp; [IP::addr [IP::client_addr] equals n.n.n.n/m])} {
    ASM::unblock
  }
}

cdjac0bsen · Answer

You're a genius, thanks so much. This is exactly the same issue we are having. If you don't mind, I'm going to submit this as a feature enhancement request to add this option to the IP address exception configuration. Seems like a no-brainer to me, I'm surprised it wasn't added already. You don't want legitimate vuln scanners to get blocked by session tracking--makes the results invalid.

uknoodler_23999 · Answer

no problem, thanks for putting in the feature request.&nbsp;

cdjac0bsen · Answer

You're welcome.  What would be the best syntax to add multiple IP addresses/subnets?   We have about 15 we need to exclude.   And I'm not keen on reading in a list of IP's from a separate file.&nbsp;

sponge_13_16833 · Answer

I came up with a way for this to be done using a data list group.  Create the data list group, call it "scanners" for example.  Then, in the iRule, use a class match to evaluate the list. 
To add new "scanners" just add the new IP or subnet to the data list group.

Here is the iRule using class match to list of "scanners"
when ASM_REQUEST_DONE {
  if {([class match [IP::client_addr] equals scanners] &amp;&amp; [ASM::violation names] contains "SESSION_AWARENESS" &amp;&amp; [ASM::violation count] &lt; 2 )} {
    ASM::unblock
  }
}

To create the data list group, using tmsh:
create ltm data-group internal scanners type ip records add {x.x.x.x/xx}
To modify existing list (adding host and subnet to list):
modify ltm data-group internal scanners records add {x.x.x.x/32 x.x.x.x/24}

cdjac0bsen · Answer

Brilliant!&nbsp;

Forum Discussion

How could I exclude Vulnerability scanners from Session Tracking?

6 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Chrome V 124+ on MacOS - Virtual Server Access Issue

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two

Automagic Vulnerability Scanner Integration: Cenzic Style!

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Vulnerability CVE-2023-45648 in ApacheTomcat