Forum Discussion

akroehnert's avatar
akroehnert
Icon for Nimbostratus rankNimbostratus
Sep 22, 2016

ASM::violation full description of all keys

Hello

 

The article on https://devcentral.f5.com/wiki/iRules.ASM__violation.ashx describes how to get the list of found viloations from the ASM::violation definition, which in turn could be used in an iRule. However there are only two examples given for the keys to evaluate violations from attack signatures and length on parameters. The keys do apparently also differ between the type of violation As ASM knows a bit more than those two violations, the question is where to find a definition of all keys for all violation types? I did get creative with google searches and grepping around the BigIP shell, but so far no success. Hope anyone of you can help.

 

Regards Andreas

 

application delivery
ASM Advanced WAF
irule
keys
security
violations

3 Replies

Sort By
  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Sep 23, 2016

    I believe the answer to your question can be found here:

     

    https://support.f5.com/kb/en-us/solutions/public/11000/600/sol11680.html

     

    The exact details vary by version, so your best option is to read the solution article.

     

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Oct 18, 2016

    I doubt you will be able to find the description of the all the violation detailed data keys/value pairs as it is undocumented by F5 on purpose. It also changes from version to version and can be modified by a HotFix.

     

    The idea of what you (or your customer) are trying to do does not make any sense to me from the web application security best practices standpoint. ASM is a Web Application Firewall(WAF) and it is there to BLOCK the attack BEFORE it reaches the application. If they want ASM to only DETECT the attacks and then convert all the attack details to HTTP headers and have the application developers to code some sort of a decision engine whether the application itself should disallow the request then:

     

    a) it is too late as the attack has already happened and any vulnerability possibly present in the application is already exploited. It is a bit like asking your security guard to allow a gang of robbers and other criminals into your house, but asking the security guard to give you a printed report of why the criminals should have been stopped by the security guard in the first place.

     

    b) if your customer can code a decision engine inside the application they might as well code the application in a secure way in the first place so it is not vulnerable to OWASP Top 10 attacks. A WAF is most useful for applications which cannot be changed easily (e.g. legacy, 3rd-party, developers not available, application change might take many months, etc).

     

    c) conversion of violation_details into HTTP Headers using an iRule will take a huge amount of ASM's CPU power and will not scale. An attacker can simply flood your system with an attack which matches thousands of signatures 10,000 times per second. Both your ASM and your application will be dead trying to convert all the details into HTTP headers.

     

    Having said that I do see some value in having [ASM::violation_data] (not detailed data) being sent as headers for non-blocking violations, e.g. attack_type and viol_name - these will be constant and predictable across all violations.

     

  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Oct 19, 2016

    You might (key word here is might) be able to get your sales team to get you such a list, but be aware that you will need to update that list each and every time you apply a new signature set. Maintaining what you are proposing will be non trivial.