ASM Policy Allow traversal detection evasion only for specific URL

Starting in v13, it is possible to make granular enabling/disabling of signature checks on a per-URL basis. In this case, if the URL in question is, say, /index.html, then you can create that as an Allowed URL and disable the signature check for Directory Traversal using the Overridden Attack Signature settings within this URL.

If you wish to achieve this via an iRule, it can be done using the ASM::signature command and that's only been introduced in v13: https://devcentral.f5.com/wiki/iRules.ASM__signature.ashx

If you are running a version prior to v13, you can use ASM::unblock command to unblock a request that's been blocked with 'Attack signature detected' violation. However, you can't unblock a request when it's been blocked specifically with a particular Signature ID.

Thanks for the response! And sorry for the late follow-up question. In this particular instance, could an irule unblock command be used for 12.X release if the block is due not because attack signature detected but rather Evasion Technique Detected - directory traversal? I know I could turn off in policy learning for policy, but only wish to turn off for specific URL.

Thanks again.

Hello,

Unfortunately, that's not possible in 12.x. We can only unblock requests based on signature IDs starting in v13 using the ASM::signature iRule command: https://devcentral.f5.com/wiki/iRules.ASM__signature.ashx. Otherwise, the only way to unblock these requests is based on the 'Attack signature detected' violation itself and not by virtue of any particular signature.

Sorry, hopefully last question. Could I use either via LTM iRule or Policy a method of disabling ASM when a specific URI (/example.jpg) is invoked? I tried irules using asm::enable/disable and HTTP_CLASS_SELECTED / HTTP::path commands as well as HTTP_REQUEST / HTTP::uri commands, but both failed.

PS - does the ACCESS::enable/disable command only work with APM and not ASM?

Thanks again.