Forum Discussion
THE_BLUE
Cirrostratus
CirrostratusResponse and blocking page
I need to customize the blocking page by adding the name of the block. Not all violations, only what the user can understand, for example, if there is a meta character in value, and so on. This will help us a lot, so the client will know what the reason for the block is so that they can fix it immediately, for example, not using characters in the value.
How do I achieve this?
Hi THE_BLUE ,
I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation.
look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html
But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you.
That doesn't make sense to do such this solution really , that's my opinion.Hi THE_BLUE,
you can use this iRule, it's pretty verbose. And I totally agree with Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker.
when ASM_REQUEST_BLOCKING { set x [ASM::violation_data] #marker bit to handle header change set activeViolation 1 for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { set violation "violation=[lindex $x $i]" } 1 { set support_id "support_id=[lindex $x $i]" } 2 { set web_application "web_application=[lindex $x $i]" } 3 { set severity "severity=[lindex $x $i]" } 4 { set source_ip "source_ip=[lindex $x $i]" } 5 { set attack_type "attack_type=[lindex $x $i]" } 6 { set request_status "request_status=[lindex $x $i]" } } } set response "<html><head><title>Request Rejected</title></head>\ <body>The requested URL was rejected. Please consult with your administrator.<br><br>\ Your support ID is: $support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>\ Your $violation<br>\ Your $web_application<br>\ Your $severity<br>\ Your $source_ip<br>\ Your $attack_type<br>\ Your $request_status<br></body></html>" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response } when HTTP_RESPONSE_RELEASE { #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING) catch { #do only if previous was event ASM_REQUEST_BLOCKING if { $activeViolation } { #modify respose header HTTP::header remove Content-Length HTTP::header insert header_1 value_1 } } }You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example:
if { [class match [IP::client_addr] equals private_net] } { do this stuff }And you should do a performance test of this iRule. I actually never did that 🤔
KR
Daniel
Hi THE_BLUE ,
I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation.
look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html
But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you.
That doesn't make sense to do such this solution really , that's my opinion.- Daniel_Wolf
MVP
Hi THE_BLUE,
you can use this iRule, it's pretty verbose. And I totally agree with Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker.
when ASM_REQUEST_BLOCKING { set x [ASM::violation_data] #marker bit to handle header change set activeViolation 1 for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { set violation "violation=[lindex $x $i]" } 1 { set support_id "support_id=[lindex $x $i]" } 2 { set web_application "web_application=[lindex $x $i]" } 3 { set severity "severity=[lindex $x $i]" } 4 { set source_ip "source_ip=[lindex $x $i]" } 5 { set attack_type "attack_type=[lindex $x $i]" } 6 { set request_status "request_status=[lindex $x $i]" } } } set response "<html><head><title>Request Rejected</title></head>\ <body>The requested URL was rejected. Please consult with your administrator.<br><br>\ Your support ID is: $support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>\ Your $violation<br>\ Your $web_application<br>\ Your $severity<br>\ Your $source_ip<br>\ Your $attack_type<br>\ Your $request_status<br></body></html>" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response } when HTTP_RESPONSE_RELEASE { #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING) catch { #do only if previous was event ASM_REQUEST_BLOCKING if { $activeViolation } { #modify respose header HTTP::header remove Content-Length HTTP::header insert header_1 value_1 } } }You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example:
if { [class match [IP::client_addr] equals private_net] } { do this stuff }And you should do a performance test of this iRule. I actually never did that 🤔
KR
Daniel