cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Return ASM Violation in Response

LB
Cirrus
Cirrus

Hey folks,

 

Is it possible to return the ASM violation in the response body?

 

If so, what does that logic look like?

1 ACCEPTED SOLUTION

I don't know how to do it in simple way, but you can try to use ASM iRule for this purpose.

Something like this:

when ASM_REQUEST_BLOCKING {

set x [ASM::violation_data]

#c_ stands for "custom"

set c_brp "<html>

         <head>

         <title>This is a custom BRP!</title>

         </head>

         <body>

         <h1>The request was blocked and next violations were detected: [lindex $x 0].</h1>

         </body>

        </html>"

  set c_brplen [string length $c_brp]

 

HTTP::header replace "Content-length" $c_brplen

 

#ASM already formed a BRP, so we delete it first and place ours instead

#d_ stands for "default"

set d_brplen [ASM::payload length]

ASM::payload replace 0 $d_brplen $c_brp

}

 

Thanks, Ivan

View solution in original post

4 REPLIES 4

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello,

 

Do you want to return violation in case of Blocking in Blocking Response Page OR you want to insert it in response from backend server?

What is use case of such data?

 

Thanks, Ivan

LB
Cirrus
Cirrus

Hi Ivan,

 

Thanks for your response, I have gotten real value from your responses in this forum.

 

If possible, I would like to return the asm::violation names in the response page (reason for block in response). Use case is internal customers refuse to search support ID in SIEM. This would be implemented in a non-production environment.

 

Thanks,

L

I don't know how to do it in simple way, but you can try to use ASM iRule for this purpose.

Something like this:

when ASM_REQUEST_BLOCKING {

set x [ASM::violation_data]

#c_ stands for "custom"

set c_brp "<html>

         <head>

         <title>This is a custom BRP!</title>

         </head>

         <body>

         <h1>The request was blocked and next violations were detected: [lindex $x 0].</h1>

         </body>

        </html>"

  set c_brplen [string length $c_brp]

 

HTTP::header replace "Content-length" $c_brplen

 

#ASM already formed a BRP, so we delete it first and place ours instead

#d_ stands for "default"

set d_brplen [ASM::payload length]

ASM::payload replace 0 $d_brplen $c_brp

}

 

Thanks, Ivan

Thanks Ivan, I will try this.