Forum Discussion

psajdakl's avatar
Icon for Nimbostratus rankNimbostratus
Mar 18, 2022

Response page additional information from triggered violation


Please help, We need for our dev tem provide a response page with some information like it is from (Gui - Triggered Violations details, once you click occurrensec arrow to see table details) 

So for exampl. Dev is testing new webapp and has been blocked, he see support id on respond page and we would like to give them details from triggered violations like:

Detected keyword, attack signature, context, parameter level, actual parameter name, wildcard parameter and so on.

It is test env so we can provide them this information. Is any chance to do that using iRule or other way? 

Thanks for providing any example for iRule or any link for parrameters needed to be add in iRule

We cannot give dev team any Monitor access from gui, 

best regards

1 Reply

  • Hi psajdakl 

    make sure to enable "Trigger ASM iRule Events Mode" in your ASM policy.

    Then I used this iRule:

        set x [ASM::violation_data]
        #marker bit to handle header change
        set activeViolation 1
        for {set i 0} { $i < 7 } {incr i} {
            switch $i {
            0         { set violation "violation=[lindex $x $i]" }
            1         { set support_id "support_id=[lindex $x $i]" }
            2         { set web_application "web_application=[lindex $x $i]" }
            3         { set severity "severity=[lindex $x $i]" }
            4         { set source_ip "source_ip=[lindex $x $i]" }
            5         { set attack_type "attack_type=[lindex $x $i]" }
            6         { set request_status "request_status=[lindex $x $i]" }
        set response "<html><head><title>Request Rejected</title></head>\
        <body>The requested URL was rejected. Please consult with your administrator.<br><br>\
        Your support ID is: $support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>\
        Your $violation<br>\
        Your $web_application<br>\
        Your $severity<br>\
        Your $source_ip<br>\
        Your $attack_type<br>\
        Your $request_status<br></body></html>"
        ASM::payload replace 0 [ASM::payload length] ""
        ASM::payload replace 0 0 $response
       #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
       catch {
           #do only if  previous was event ASM_REQUEST_BLOCKING
           if { $activeViolation } {
               #modify respose header
               HTTP::header remove Content-Length
               HTTP::header insert header_1 value_1

    This is not exaclty what you asked for, but it is a bit more verbose.
    I build the iRule based on this the documentation about this iRule event: Clouddocs > > ASM_REQUEST_BLOCKING