Forum Discussion

swo0sh_gt_13163's avatar
swo0sh_gt_13163
Icon for Altostratus rankAltostratus
Oct 26, 2014

Custom HTML page for ASM Virus Detection - ICAP

Hello Folks,

One of customers is using KasperSky Proxy server as an ICAP integration with ASM. (Running on 11.3.0 HF8). Which is working well, and ICAP is detecting malicious and legitimate file well.

Now the requirement comes as to display a custom HTML page when ASM detects a Virus based on ICAP confirmation. I have tried creating an iRule by taking help from DecCentral, and made something as following.

when ASM_REQUEST_BLOCKING
{ 

  set x [ASM::violation_data]

  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }

   }}

   if {([lindex $x 5] contains "ATTACK_TYPE_MALICIOUS_FILE_UPLOAD")}
   {
      HTTP::header remove Content-Length
      HTTP::header insert header_1 value_1

      set response "Apology PageWe are sorry,\
         but the site you are looking for is temporarily out of service\
         If you feel you have reached this page in error, please try again."

      ASM::payload replace 0 [ASM::payload length] ""
      ASM::payload replace 0 0 $response
   }   

}

However it seems that iRule is not triggering at all. Any idea what I am missing here? Thank you, Darshan

  • Hello Folks,

     

    I got the break through. Actually it was a minor configuration mistake I did. In ASM, I didn't enable "Trigger ASM iRule Events". After enabling the checkbox, it started working as expected.

     

    Just in case if someone wants an iRule to customize ICAP response when it detects Virus, you can use the above snippet. It is tested and working as expected.

     

    Thank you anyways to going through this.

     

    Cheers! Darshan

     

    • mattsthe2_59142's avatar
      mattsthe2_59142
      Icon for Nimbostratus rankNimbostratus
      Where do you tie the iRule to make this work, would it be tied to the VIP in LTM of the application being used to do the upload?
  • @Mattsthe2,

     

    Yes, I tied it to the VIP, LTM, which is being used to upload the file, and expected the file upload to be scanned by the ICAP server.

     

  • The long_request_buffer_size parameter value is defined in the Application Security > Options > Advanced Configuration screen in the Configuration utility. The default value of the parameter is 10 MB.