Forum Discussion
2funky_105078
Cirrus
CirrusASM: insert header when a virus is found
Hello,
I tried to configure a iRule to add a HTTP header in the POST request which uploads a file to an origin server.
This HTTP header should contain the ASM support ID only when there is a virus detected via ICAP, but it should NOT block the client request. I also configured in ASM policy "Trigger ASM iRule Events" in Normal Mode. I am using 12.1.2.
Do you have an idea?
I tried this but the HTTP header is not inserted (but i get a log message that the virus was found... Feb 26 17:48:38 bigip info tmm[23970]: Rule /Common/AV : VIOLATION_VIRUS_DETECTED detected, uri=/virus.php)
when ASM_REQUEST_VIOLATION
{
if {([ASM::violation_data] contains "VIOLATION_VIRUS_DETECTED")}
{
log local0. "VIOLATION_VIRUS_DETECTED detected, uri=[HTTP::uri]"
set supp_id [ASM::support_id]
}
}
when HTTP_REQUEST_RELEASE {
if {[info exists supp_id]} {
HTTP::header insert X-ASM-SUPPORT-ID "VIRUS DETECTEED and support ID $supp_id"
}
}
Simon_BlakelyEmployee
HTTP::header commands are not valid in HTTP_REQUEST_RELEASE
Change the event to HTTP_REQUEST_SEND and the context to clientside
when HTTP_REQUEST_SEND { if {[info exists supp_id]} { clientside { HTTP::header insert X-ASM-SUPPORT-ID "VIRUS DETECTED and support ID $supp_id" } } }
2funky_105078Thanks for your time looking at my question. I tried but it did not work.
Anyway i found this and it's OK.
when ASM_REQUEST_DONE { log local0.debug "\[ASM::status\] = [ASM::status]" if { ([ASM::status] equals "alarmed") && ([ASM::violation_data] contains "VIOLATION_VIRUS_DETECTED") } { set x [ASM::violation_data] HTTP::header insert X-ASM "violation=[lindex $x 0] supportid=[lindex $x 1]" log local0.debug "DEBUG02: violation=[lindex $x 0] supportid=[lindex $x 1]" } }