Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Response page additional information from triggered violation



Please help, We need for our dev tem provide a response page with some information like it is from (Gui - Triggered Violations details, once you click occurrensec arrow to see table details) 

So for exampl. Dev is testing new webapp and has been blocked, he see support id on respond page and we would like to give them details from triggered violations like:

Detected keyword, attack signature, context, parameter level, actual parameter name, wildcard parameter and so on.

It is test env so we can provide them this information. Is any chance to do that using iRule or other way? 

Thanks for providing any example for iRule or any link for parrameters needed to be add in iRule

We cannot give dev team any Monitor access from gui, 

best regards


Hi @psajdakl 

make sure to enable "Trigger ASM iRule Events Mode" in your ASM policy.

trigger_ASM_iRule_events.pngThen I used this iRule:

    set x [ASM::violation_data]
    #marker bit to handle header change
    set activeViolation 1
    for {set i 0} { $i < 7 } {incr i} {
        switch $i {
        0         { set violation "violation=[lindex $x $i]" }
        1         { set support_id "support_id=[lindex $x $i]" }
        2         { set web_application "web_application=[lindex $x $i]" }
        3         { set severity "severity=[lindex $x $i]" }
        4         { set source_ip "source_ip=[lindex $x $i]" }
        5         { set attack_type "attack_type=[lindex $x $i]" }
        6         { set request_status "request_status=[lindex $x $i]" }

    set response "<html><head><title>Request Rejected</title></head>\
    <body>The requested URL was rejected. Please consult with your administrator.<br><br>\
    Your support ID is: $support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>\
    Your $violation<br>\
    Your $web_application<br>\
    Your $severity<br>\
    Your $source_ip<br>\
    Your $attack_type<br>\
    Your $request_status<br></body></html>"

    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response

   #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
   catch {
       #do only if  previous was event ASM_REQUEST_BLOCKING
       if { $activeViolation } {
           #modify respose header
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1

This is not exaclty what you asked for, but it is a bit more verbose.
I build the iRule based on this the documentation about this iRule event: Clouddocs > > ASM_REQUEST_BLOCKING