Forum Discussion

Manoranajn_3164's avatar
Manoranajn_3164
Icon for Nimbostratus rankNimbostratus
Apr 06, 2017

Custom Response to disallowed geo location

Hello

So, I have been trying to create an iRule that can enable me to present a custom response in case a user access application from a disallowed geo-location, but its not working. following is the iRule that i have created.

when ASM_REQUEST_BLOCKING
{ 
  set x [ASM::violation_data]
  set activeViolation 1
  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }

   }}

   if {([lindex $x 0] contains "ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY")}
   {
      log local0. "ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY detected, let's customized reject page"

      set response "Request Rejected PageSorry,\
      access to this site is restricted."

      ASM::payload replace 0 0 ""
      ASM::payload replace 0 0 $response
   }   

}

Can Somebody have a look and let me know what is wrong with this iRule

Thanks Manoranjan

ASM Advanced WAF
iRules
security
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Apr 06, 2017

    What do you mean by "not working"? Do you get any messages in the ltm log? Did you tick the check box in your policy to enable triggering ASM iRules? You also need to remove the Content-Length header if you are modifying the payload as the broswer might get confused that the size of the payload does not match the Content-Length header

     

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Apr 07, 2017

    Take a look at your logs. Your "if" condition is wrong.

     

    lindex position 0 should be VIOLATION_ILLEGAL_GEOLOCATION not ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 08, 2017

    Hi Manoranajn,

    take a look to the iRule below. It uses a less complicated approach to debug log the violation data and updates in addition the "Content-Length" header information, after changing the response.

    when ASM_REQUEST_BLOCKING {
    set x [ASM::violation_data]
    log local0.debug "violation=[lindex $x [set i 0]]"
    log local0.debug "support_id=[lindex $x [incr i]]"
    log local0.debug "web_application=[lindex $x [incr i]]"
    log local0.debug "severity=[lindex $x [incr i]]"
    log local0.debug "source_ip=[lindex $x [incr i]]"
    log local0.debug "attack_type=[lindex $x [incr i]]"
    log local0.debug "request_status=[lindex $x [incr i]]"
    if { [lindex $x 0] contains "ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY" } then {
        log local0.debug "ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY detected, let's customized reject page"
        ASM::payload replace 0 [ASM::payload length] ""
        ASM::payload replace 0 0 "Request Rejected PageSorry, access to this site is restricted."
        HTTP::header remove "Content-Length"
        HTTP::header insert "Content-Length" [ASM::payload length]
    }
}

    Cheers, Kai