For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Mar 19, 2013

Different Blocking pages for different violation?

I have an application that is going to start uploading files to the application, so I am going to use the ICAP hook in that ASM has to an AV scan engine to inspect those files before they reach the s...
app sec
BIG-IP Access Policy Manager (APM)
security
Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Mar 22, 2013
Ok so I have come with a basic construct of an iRule to handle a couple of options for the Virus detected violation. In this particular version I am removing the malicious file from the request inserting a line in the header and passing it to the web server so the application owner can reply with whatever they like. If someone could take a look over this and see if I am making any mistakes and if I am interpreting the ASM:payload command correctly.

 

 

You could also do away with the ASM:payload and header insert and just do a custom response here as well.

 

 

when ASM_REQUEST_BLOCKING

 

{

 

 

set x [ASM::violation_data]

 

 

for {set i 0} { $i < 7 } {incr i} {

 

switch $i {

 

0 { log local0. "violation=[lindex $x $i]" }

 

1 { log local0. "support_id=[lindex $x $i]" }

 

2 { log local0. "web_application=[lindex $x $i]" }

 

3 { log local0. "severity=[lindex $x $i]" }

 

4 { log local0. "source_ip=[lindex $x $i]" }

 

5 { log local0. "attack_type=[lindex $x $i]" }

 

6 { log local0. "request_status=[lindex $x $i]" }

 

 

}}

 

 

if {([lindex $x 0] contains "ATTACK_TYPE_MALICIOUS_FILE_UPLOAD")}

 

{

 

 

 

ASM::payload replace 0 0 ""

 

 

HTTP::header insert x-asm-violation ["Virus Found"]

 

}

 

 

}