Response and blocking page

Hi THE_BLUE , 

I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation. 
look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html

But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you. 

That doesn't make sense to do such this solution really , that's my opinion. 

Hi THE_BLUE,

you can use this iRule, it's pretty verbose. And I totally agree with Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker. 

when ASM_REQUEST_BLOCKING {
    set x [ASM::violation_data]
    #marker bit to handle header change
    set activeViolation 1

    for {set i 0} { $i < 7 } {incr i} {
        switch $i {
        0         { set violation "violation=[lindex $x $i]" }
        1         { set support_id "support_id=[lindex $x $i]" }
        2         { set web_application "web_application=[lindex $x $i]" }
        3         { set severity "severity=[lindex $x $i]" }
        4         { set source_ip "source_ip=[lindex $x $i]" }
        5         { set attack_type "attack_type=[lindex $x $i]" }
        6         { set request_status "request_status=[lindex $x $i]" }
            }
        }

    set response "<html><head><title>Request Rejected</title></head>\
    <body>The requested URL was rejected. Please consult with your administrator.<br><br>\
    Your support ID is: $support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>\
    Your $violation<br>\
    Your $web_application<br>\
    Your $severity<br>\
    Your $source_ip<br>\
    Your $attack_type<br>\
    Your $request_status<br></body></html>"


    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response
}

when HTTP_RESPONSE_RELEASE {
   #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
   catch {
       #do only if  previous was event ASM_REQUEST_BLOCKING
       if { $activeViolation } {
           #modify respose header
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1
       }
   }
}

You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example: 

if { [class match [IP::client_addr] equals private_net] } { do this stuff }

And you should do a performance test of this iRule. I actually never did that 🤔

KR
Daniel