Forum Discussion

LB's avatar
LB
Icon for Cirrus rankCirrus
Aug 14, 2020

Return ASM Violation in Response

Hey folks,

 

Is it possible to return the ASM violation in the response body?

 

If so, what does that logic look like?

ASM Advanced WAF
iRules
security
  • Ivan_Chernenkii's avatar
    Ivan_Chernenkii
    Aug 20, 2020

    I don't know how to do it in simple way, but you can try to use ASM iRule for this purpose.

    Something like this:

    when ASM_REQUEST_BLOCKING {

    set x [ASM::violation_data]

    #c_ stands for "custom"

    set c_brp "<html>

             <head>

             <title>This is a custom BRP!</title>

             </head>

             <body>

             <h1>The request was blocked and next violations were detected: [lindex $x 0].</h1>

             </body>

            </html>"

      set c_brplen [string length $c_brp]

     

    HTTP::header replace "Content-length" $c_brplen

     

    #ASM already formed a BRP, so we delete it first and place ours instead

    #d_ stands for "default"

    set d_brplen [ASM::payload length]

    ASM::payload replace 0 $d_brplen $c_brp

    }

     

    Thanks, Ivan

  • Ivan_Chernenkii's avatar
    Ivan_Chernenkii
    Icon for Employee rankEmployee
    Aug 19, 2020

    Hello,

     

    Do you want to return violation in case of Blocking in Blocking Response Page OR you want to insert it in response from backend server?

    What is use case of such data?

     

    Thanks, Ivan

  • LB's avatar
    LB
    Icon for Cirrus rankCirrus
    Aug 20, 2020

    Hi Ivan,

     

    Thanks for your response, I have gotten real value from your responses in this forum.

     

    If possible, I would like to return the asm::violation names in the response page (reason for block in response). Use case is internal customers refuse to search support ID in SIEM. This would be implemented in a non-production environment.

     

    Thanks,

    L

    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee
      Aug 20, 2020

      I don't know how to do it in simple way, but you can try to use ASM iRule for this purpose.

      Something like this:

      when ASM_REQUEST_BLOCKING {

      set x [ASM::violation_data]

      #c_ stands for "custom"

      set c_brp "<html>

               <head>

               <title>This is a custom BRP!</title>

               </head>

               <body>

               <h1>The request was blocked and next violations were detected: [lindex $x 0].</h1>

               </body>

              </html>"

        set c_brplen [string length $c_brp]

       

      HTTP::header replace "Content-length" $c_brplen

       

      #ASM already formed a BRP, so we delete it first and place ours instead

      #d_ stands for "default"

      set d_brplen [ASM::payload length]

      ASM::payload replace 0 $d_brplen $c_brp

      }

       

      Thanks, Ivan

      • LB's avatar
        LB
        Icon for Cirrus rankCirrus
        Sep 01, 2020

        Thanks Ivan, I will try this.