Forum Discussion

psajdakl's avatar
psajdakl
Icon for Nimbostratus rankNimbostratus
Mar 18, 2022

Response page additional information from triggered violation

Hi, 

Please help, We need for our dev tem provide a response page with some information like it is from (Gui - Triggered Violations details, once you click occurrensec arrow to see table details) 

So for exampl. Dev is testing new webapp and has been blocked, he see support id on respond page and we would like to give them details from triggered violations like:

Detected keyword, attack signature, context, parameter level, actual parameter name, wildcard parameter and so on.

It is test env so we can provide them this information. Is any chance to do that using iRule or other way? 

Thanks for providing any example for iRule or any link for parrameters needed to be add in iRule

We cannot give dev team any Monitor access from gui, 

best regards

devops
event
Evnets
response page
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Mar 19, 2022

    Hi psajdakl 

    make sure to enable "Trigger ASM iRule Events Mode" in your ASM policy.

    Then I used this iRule:

    when ASM_REQUEST_BLOCKING {
    set x [ASM::violation_data]
    #marker bit to handle header change
    set activeViolation 1
    
    for {set i 0} { $i < 7 } {incr i} {
        switch $i {
        0         { set violation "violation=[lindex $x $i]" }
        1         { set support_id "support_id=[lindex $x $i]" }
        2         { set web_application "web_application=[lindex $x $i]" }
        3         { set severity "severity=[lindex $x $i]" }
        4         { set source_ip "source_ip=[lindex $x $i]" }
        5         { set attack_type "attack_type=[lindex $x $i]" }
        6         { set request_status "request_status=[lindex $x $i]" }
            }
        }

    set response "<html><head><title>Request Rejected</title></head>\
    <body>The requested URL was rejected. Please consult with your administrator.<br><br>\
    Your support ID is: $support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>\
    Your $violation<br>\
    Your $web_application<br>\
    Your $severity<br>\
    Your $source_ip<br>\
    Your $attack_type<br>\
    Your $request_status<br></body></html>"


    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response
}

when HTTP_RESPONSE_RELEASE {
   #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
   catch {
       #do only if  previous was event ASM_REQUEST_BLOCKING
       if { $activeViolation } {
           #modify respose header
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1
       }
   }
}

    This is not exaclty what you asked for, but it is a bit more verbose.
    I build the iRule based on this the documentation about this iRule event: Clouddocs > > ASM_REQUEST_BLOCKING 

    KR
    Daniel