Forum Discussion
psajdakl
Mar 18, 2022Nimbostratus
Response page additional information from triggered violation
Hi, Please help, We need for our dev tem provide a response page with some information like it is from (Gui - Triggered Violations details, once you click occurrensec arrow to see table details) ...
Daniel_Wolf
Mar 19, 2022MVP
Hi psajdakl
make sure to enable "Trigger ASM iRule Events Mode" in your ASM policy.
Then I used this iRule:
when ASM_REQUEST_BLOCKING {
set x [ASM::violation_data]
#marker bit to handle header change
set activeViolation 1
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { set violation "violation=[lindex $x $i]" }
1 { set support_id "support_id=[lindex $x $i]" }
2 { set web_application "web_application=[lindex $x $i]" }
3 { set severity "severity=[lindex $x $i]" }
4 { set source_ip "source_ip=[lindex $x $i]" }
5 { set attack_type "attack_type=[lindex $x $i]" }
6 { set request_status "request_status=[lindex $x $i]" }
}
}
set response "<html><head><title>Request Rejected</title></head>\
<body>The requested URL was rejected. Please consult with your administrator.<br><br>\
Your support ID is: $support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>\
Your $violation<br>\
Your $web_application<br>\
Your $severity<br>\
Your $source_ip<br>\
Your $attack_type<br>\
Your $request_status<br></body></html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
when HTTP_RESPONSE_RELEASE {
#catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
catch {
#do only if previous was event ASM_REQUEST_BLOCKING
if { $activeViolation } {
#modify respose header
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
}
}
}
This is not exaclty what you asked for, but it is a bit more verbose.
I build the iRule based on this the documentation about this iRule event: Clouddocs > > ASM_REQUEST_BLOCKING
KR
Daniel
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects