cancel
Showing results for 
Search instead for 
Did you mean: 

Response page additional information from triggered violation

psajdakl
Nimbostratus
Nimbostratus

Hi, 

Please help, We need for our dev tem provide a response page with some information like it is from (Gui - Triggered Violations details, once you click occurrensec arrow to see table details) 

So for exampl. Dev is testing new webapp and has been blocked, he see support id on respond page and we would like to give them details from triggered violations like:

Detected keyword, attack signature, context, parameter level, actual parameter name, wildcard parameter and so on.

It is test env so we can provide them this information. Is any chance to do that using iRule or other way? 

Thanks for providing any example for iRule or any link for parrameters needed to be add in iRule

We cannot give dev team any Monitor access from gui, 

best regards

1 REPLY 1

Hi @psajdakl 

make sure to enable "Trigger ASM iRule Events Mode" in your ASM policy.

trigger_ASM_iRule_events.pngThen I used this iRule:

when ASM_REQUEST_BLOCKING {
    set x [ASM::violation_data]
    #marker bit to handle header change
    set activeViolation 1
    
    for {set i 0} { $i < 7 } {incr i} {
        switch $i {
        0         { set violation "violation=[lindex $x $i]" }
        1         { set support_id "support_id=[lindex $x $i]" }
        2         { set web_application "web_application=[lindex $x $i]" }
        3         { set severity "severity=[lindex $x $i]" }
        4         { set source_ip "source_ip=[lindex $x $i]" }
        5         { set attack_type "attack_type=[lindex $x $i]" }
        6         { set request_status "request_status=[lindex $x $i]" }
            }
        }

    set response "<html><head><title>Request Rejected</title></head>\
    <body>The requested URL was rejected. Please consult with your administrator.<br><br>\
    Your support ID is: $support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>\
    Your $violation<br>\
    Your $web_application<br>\
    Your $severity<br>\
    Your $source_ip<br>\
    Your $attack_type<br>\
    Your $request_status<br></body></html>"


    ASM::payload replace 0 [ASM::payload length] ""
    ASM::payload replace 0 0 $response
}

when HTTP_RESPONSE_RELEASE {
   #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
   catch {
       #do only if  previous was event ASM_REQUEST_BLOCKING
       if { $activeViolation } {
           #modify respose header
           HTTP::header remove Content-Length
           HTTP::header insert header_1 value_1
       }
   }
}

This is not exaclty what you asked for, but it is a bit more verbose.
I build the iRule based on this the documentation about this iRule event: Clouddocs > > ASM_REQUEST_BLOCKING 

KR
Daniel