Forum Discussion

2funky_105078's avatar
2funky_105078
Icon for Cirrus rankCirrus
Feb 26, 2018

ASM: insert header when a virus is found

Hello,

I tried to configure a iRule to add a HTTP header in the POST request which uploads a file to an origin server.

This HTTP header should contain the ASM support ID only when there is a virus detected via ICAP, but it should NOT block the client request. I also configured in ASM policy "Trigger ASM iRule Events" in Normal Mode. I am using 12.1.2.

Do you have an idea?

I tried this but the HTTP header is not inserted (but i get a log message that the virus was found... Feb 26 17:48:38 bigip info tmm[23970]: Rule /Common/AV : VIOLATION_VIRUS_DETECTED detected, uri=/virus.php)

when ASM_REQUEST_VIOLATION
{
   if {([ASM::violation_data] contains "VIOLATION_VIRUS_DETECTED")}
   {
      log local0. "VIOLATION_VIRUS_DETECTED detected, uri=[HTTP::uri]"
      set supp_id [ASM::support_id]
   } 
}

when HTTP_REQUEST_RELEASE {
    if {[info exists supp_id]} {
        HTTP::header insert X-ASM-SUPPORT-ID "VIRUS DETECTEED and support ID $supp_id"
    }
}
ASM Advanced WAF
icap
security

2 Replies

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Feb 26, 2018

    HTTP::header commands are not valid in HTTP_REQUEST_RELEASE

    Change the event to HTTP_REQUEST_SEND and the context to clientside

    HTTP_REQUEST_SEND

    when HTTP_REQUEST_SEND {
    if {[info exists supp_id]} {
        clientside {
          HTTP::header insert X-ASM-SUPPORT-ID "VIRUS DETECTED and support ID $supp_id"
        }
    }
}
  • 2funky_105078's avatar
    2funky_105078
    Icon for Cirrus rankCirrus
    Feb 27, 2018

    Thanks for your time looking at my question. I tried but it did not work.

    Anyway i found this and it's OK.

    when ASM_REQUEST_DONE
 {
    log local0.debug "\[ASM::status\] = [ASM::status]" 
    if { ([ASM::status] equals "alarmed") && ([ASM::violation_data] contains "VIOLATION_VIRUS_DETECTED") } {
            set x [ASM::violation_data]
            HTTP::header insert X-ASM "violation=[lindex $x 0] supportid=[lindex $x 1]"
            log local0.debug "DEBUG02: violation=[lindex $x 0] supportid=[lindex $x 1]"
            }
}