NimbostratusASM get vulnerability occurrence in iRules
I Hi there,
I'd like to achieve a header check feature - when more than one of the three headers(e.g. authentication, access_token, token) is shown in request header, the request will pass the check, otherwise, the request will be blocked. Specifically, if request url contains certain strings (e.g. static), the request will be served without header check.
I write the following irules, but I have some issue with ASM::violation API.
when ASM_REQUEST_DONE {
set header_count [class size header_checklist]
#data-group stores headers that will be checked in request
if { [llength [ASM::violation names]] < $header_count && [lindex [ASM::violation names] 0] == "VIOLATION_MISSING_MANDATORY_HEADER"} {
# one of the mandatory header is included, unblock the request
ASM::unblock
#authentication_whitelist is the url whitelist which does not run mandatory header check
} elseif { [class match [HTTP::uri] contains authentication_whitelist] && [llength [ASM::violation names]] <= 3 && [lindex [ASM::violation names] 0] == "VIOLATION_MISSING_MANDATORY_HEADER"} {
#no mandatory header included, but url hit the url whitelist datagroup, unblock the request
ASM::unblock
}
}However, the [llength [ASM::violation names]] cannot return the correct violation counts (like the occurances in the figure below, the one in Security ›› Event Logs : Application : Requests page). I'd like to know if I can get the occurance from any irules API, or I need other tools to achieve this.
Besides, I also try to use customized attack signature to achieve this feature. But I cannot get the custom signature hit for illegal request (I created an attack signature below but it cannot block requests as intended. However, if I switch the rule to contain string, it works properly).