Forum Discussion

saidshow_251381's avatar
saidshow_251381
Icon for Cirrostratus rankCirrostratus
Aug 30, 2017
Solved

Turn off File type check for a specific URL

Hi, we have some dynamic urls that from time to time will include a fullstop. Is is possible to disable only the illegal file type check for uris that start with "/foo/foo1/"? I would not want to disable ASM entirely, just the illegal file type check.

 

Or if there is another way to deal with this scenario to prevent client selections with fullstop in it from being interpreted as an illegal file type, it would be great to hear how others are working with this type of scenario. Thank you.

 

ASM Advanced WAF
file
fullstop
illegal
period
security
type
  • saidshow_251381's avatar
    saidshow_251381
    Aug 30, 2017
    when ASM_REQUEST_DONE {

if { [HTTP::uri] starts_with "/&siteid=" && [ASM::violation count] < 5 } { 
    if { [ASM::violation_data] contains "VIOLATION_OBJ_TYPE"} { 
        ASM::unblock 
    } 
} else { 
     More than one violation, too dangerous to Unblock return 
} 
}

    I have made only minor modification to what Arnaud has done here: https://devcentral.f5.com/questions/irule-for-asm

6 Replies

Sort By
  • saidshow_251381's avatar
    saidshow_251381
    Icon for Cirrostratus rankCirrostratus
    Aug 30, 2017
    when ASM_REQUEST_DONE {

if { [HTTP::uri] starts_with "/&siteid=" && [ASM::violation count] < 5 } { 
    if { [ASM::violation_data] contains "VIOLATION_OBJ_TYPE"} { 
        ASM::unblock 
    } 
} else { 
     More than one violation, too dangerous to Unblock return 
} 
}

    I have made only minor modification to what Arnaud has done here: https://devcentral.f5.com/questions/irule-for-asm

    • Abed_AL-R's avatar
      Abed_AL-R
      Icon for Cirrostratus rankCirrostratus
      Jun 08, 2020

      Great irule

      But I think you meant by counting violations this:

      [ASM::violation count] <= 1

      not:

      ASM::violation count] < 5
  • nag_54823's avatar
    nag_54823
    Icon for Cirrostratus rankCirrostratus
    Aug 30, 2017

    Hi , You can achieve it through irule . Make sure you enable Trigger ASM iRule Events in ASM policy.

    when ASM_REQUEST_DONE {

    if {([HTTP::host] equals "test.test.com") and ([string tolower [HTTP::uri]] contains ".exe") and ([ASM::violation_data] contains "VIOLATION_OBJ_TYPE" ) } { ASM::unblock } }

    • saidshow_251381's avatar
      saidshow_251381
      Icon for Cirrostratus rankCirrostratus
      Aug 30, 2017

      Hi nag, I like this iRule. What you have there does look like it would only prevent blocking on a specific file type such as ".exe" in your example. Since the requests I am looking at that are referral ids, they may be something like "adsa.cchh3" or "0.87dsajb232.adsa" and details past the "." are always unique as a result I don't expect that this would work.

      The URI does start with &siteid=, however I do not want to completely disable ASM such as I am doing with the iRule below.

      when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/&siteid=" } {
        ASM::disable
    } 
}

      I would prefer to just disable the illegal file type check however I am unsure of the violation type. I will work on this - I will print everything to screen so that I find the details. Thank you for your help.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 30, 2017

    Hi,

     

    you can create 2 ASM policies:

     

    • one with no file type blocking
    • one with file type blocking and list configured.

    one the LTM policy enabling the ASM policy, create a new rule above with condition "/foo/foo1/" and assign the no file type blocking ASM policy.

     

    If you are working in version 13 , you can create a policy as parent and both ASM policies are child policies of the parent. this allow to configure only one policy.

     

  • Noushad_Vellad1's avatar
    Noushad_Vellad1
    Icon for Altostratus rankAltostratus
    Nov 29, 2018

    I used the irule specified by saidshow. ASM::unblock indeed unblocks the request. However it is also generating an event log. Is there anyway to disable event log also?