For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Feb 27, 2018

iRule for ASM response page and error when use HTTP::respond

Hi I've problem about irule below which i try to customize information in response page of ASM via irule.

In this case we trigger ASM_REQUEST_DONE and get all parameter of violation data.and we use HTTP::respond and send information needed to user.

Problem is when we use HTTP::respond we got error in ltm log like this and connection is reset. (can't see any response page)

Error :http_process_state_prepend - Invalid action:0x109071 clientside (192.168.1.154:50013 -> 192.168.200.22:80) ((null connflow)) (Client side: vip=/Common/VS_Auction profile=http pool=/Common/Pool_auction client_ip=192.168.1.154)

Is there another way to send HTML respond to user? When we remove HTTP::respond line, It's working fine.

    when ASM_REQUEST_DONE {
    set x [ASM::violation_data]
    for {set i 0} { $i < 7 } {incr i} {
        switch $i {
        0         { log local0. "violation=[lindex $x $i]" }
        1         { log local0. "support_id=[lindex $x $i]" }
        2         { log local0. "web_application=[lindex $x $i]" }
        3         { log local0. "severity=[lindex $x $i]" }
        4         { log local0. "source_ip=[lindex $x $i]" }
        5         { log local0. "attack_type=[lindex $x $i]" }
        6         { log local0. "request_status=[lindex $x $i]" }
        }
    } 
    if {([lindex $x 6] == "blocked")}
    {
        In this case we only use 2 parameter: support id and source ip
        set supportid [lindex $x 1]
        set sourceip [lindex $x 4]
        HTTP::respond 200 content "Test block pagePage is currently unavailable.
support id:$supportid
source ip:$sourceip" "Content-Type" "text/html"  
    }   
}
ASM Advanced WAF
devops
iRules
response page
security

1 Reply

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Feb 28, 2018

    You can try the following (untested):

    when ASM_REQUEST_DONE {
    set x [ASM::violation_data]
    for {set i 0} { $i < 7 } {incr i} {
        switch $i {
        0         { log local0. "violation=[lindex $x $i]" }
        1         { log local0. "support_id=[lindex $x $i]" }
        2         { log local0. "web_application=[lindex $x $i]" }
        3         { log local0. "severity=[lindex $x $i]" }
        4         { log local0. "source_ip=[lindex $x $i]" }
        5         { log local0. "attack_type=[lindex $x $i]" }
        6         { log local0. "request_status=[lindex $x $i]" }
        }
    }

    if {([lindex $x 6] == "blocked")} {
        In this case we only use 2 parameter: support id and source ip
        set supportid [lindex $x 1]
        set sourceip [lindex $x 4]
        set blocked "blocked"
        ASM::unblock
    }
}

when HTTP_REQUEST_SEND {
    if { [info exists blocked] } {
        HTTP::respond 200 content "Test block pagePage is currently unavailable.
support id:$supportid
source ip:$sourceip" "Content-Type" "text/html"
        TCP::close
    }
}

    .