Forum Discussion
Response and blocking page
- Oct 02, 2023
Hi THE_BLUE ,
I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation.
look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html
But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you.
That doesn't make sense to do such this solution really , that's my opinion. - Oct 02, 2023
Hi THE_BLUE,
you can use this iRule, it's pretty verbose. And I totally agree with Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker.
when ASM_REQUEST_BLOCKING { set x [ASM::violation_data] #marker bit to handle header change set activeViolation 1 for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { set violation "violation=[lindex $x $i]" } 1 { set support_id "support_id=[lindex $x $i]" } 2 { set web_application "web_application=[lindex $x $i]" } 3 { set severity "severity=[lindex $x $i]" } 4 { set source_ip "source_ip=[lindex $x $i]" } 5 { set attack_type "attack_type=[lindex $x $i]" } 6 { set request_status "request_status=[lindex $x $i]" } } } set response "<html><head><title>Request Rejected</title></head>\ <body>The requested URL was rejected. Please consult with your administrator.<br><br>\ Your support ID is: $support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>\ Your $violation<br>\ Your $web_application<br>\ Your $severity<br>\ Your $source_ip<br>\ Your $attack_type<br>\ Your $request_status<br></body></html>" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response } when HTTP_RESPONSE_RELEASE { #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING) catch { #do only if previous was event ASM_REQUEST_BLOCKING if { $activeViolation } { #modify respose header HTTP::header remove Content-Length HTTP::header insert header_1 value_1 } } }
You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example:
if { [class match [IP::client_addr] equals private_net] } { do this stuff }
And you should do a performance test of this iRule. I actually never did that 🤔
KR
Daniel
Hi THE_BLUE ,
I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation.
look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html
But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you.
That doesn't make sense to do such this solution really , that's my opinion.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com