For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_22062's avatar
Mark_22062
Icon for Nimbostratus rankNimbostratus
Nov 12, 2014

ASM Custom Response Page

Hi there, I am using a custom response page for ASM, as part of that I want to clear some troublesome persistent cookies that are triggering alerts. I've got the following setup in the response a...
ASM Advanced WAF
security
Mark_van_D's avatar
Mark_van_D
Icon for Cirrostratus rankCirrostratus
Nov 13, 2014

With the iRule this time.

Ended up modifying the example ASM_REQUEST_BLOCKING in the wiki to delete the rogue cookie.

when ASM_REQUEST_BLOCKING
{
  set x [ASM::violation_data]
    for {set i 0} { $i < 7 } {incr i} {
      switch $i {
        0         { log local0. "violation=[lindex $x $i]" }
        1         { log local0. "support_id=[lindex $x $i]" }
        2         { log local0. "web_application=[lindex $x $i]" }
        3         { log local0. "severity=[lindex $x $i]" }
        4         { log local0. "source_ip=[lindex $x $i]" }
        5         { log local0. "attack_type=[lindex $x $i]" }
        6         { log local0. "request_status=[lindex $x $i]" }
        }}

        if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")}
 {
   log local0. "VIOLATION_ATTACK_SIGNATURE_DETECTED detected, let's customise the reject page"
   HTTP::cookie remove ___utmvc
   HTTP::header remove Content-Length
   HTTP::header insert "Set-Cookie" "___utmvc=deleted; domain=.foo.bar; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT"

     set response "Apology PageWe are sorry,\
 but there was a problem processing your request, please try again."

 ASM::payload replace 0 [ASM::payload length] ""
 ASM::payload replace 0 0 $response
 }
 }

I just hashed out the logging but it came in handy in determining the violation.