Forum Discussion

AliCanS's avatar
AliCanS
Icon for Nimbostratus rankNimbostratus
Aug 08, 2023

iRule newbie - Whitelisting IP address for Spesific URL and Attack Pattern

Hello community,

One of our third party applications have false-positive blocks for spesific attack pattern,
which we want to whitelist, but as our f5 support explained that it cannot be done to a spesific IP, it needs to be url and pattern based without ip limitation.

Im not expecting much, what is the reason behind it? Performance? 
Is this can be done?, 

IP: x.x.x.x
Pattern: 200002034 - SQL-INJ "ifnull"
URL: "/path/to/excluded/url1"

Your comments are valuable!


Chatgpt output for exact same question, but couldnt tested it.

 

 

 

 

 

 

when ASM_REQUEST {
    # Get the client IP address
    set client_ip [IP::client_addr]

    # Get the URL path from the request
    set url [HTTP::uri]

    # List of URLs to exclude from security checks
    set excluded_urls {
        "/path/to/excluded/url1"
        "/path/to/excluded/url2"
        "/path/to/excluded/url3"
        # Add more URLs as needed
    }

    # Define the attack pattern to exclude
    set excluded_attack_pattern "2000010101"

    # Check if the client IP, requested URL, and attack pattern match the criteria
    if { $client_ip eq "x.x.x.x" && [lsearch -exact $excluded_urls $url] != -1 && [ASM::policy has_attack $excluded_attack_pattern] } {
        ASM::disable
    }
}

 

 

 

 

 

 

 

  • I think it can be done, but not w/ an ASM irule. I can't write this now, as I'm sick and on quick, but the idea is to take the asm policy off the vip, then use an irule like this:

    1. when http_request, check URI.
    2. if uri matches [list of disallowed uris], exit the irule.
    3. else, if no match, apply ASM policy.

    I am going to tell you, though.. depending on traffic levels, this could get computationally expensive.