asm violation
2 TopicsCustom HTML page for ASM Virus Detection - ICAP
Hello Folks, One of customers is using KasperSky Proxy server as an ICAP integration with ASM. (Running on 11.3.0 HF8). Which is working well, and ICAP is detecting malicious and legitimate file well. Now the requirement comes as to display a custom HTML page when ASM detects a Virus based on ICAP confirmation. I have tried creating an iRule by taking help from DecCentral, and made something as following. when ASM_REQUEST_BLOCKING { set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} if {([lindex $x 5] contains "ATTACK_TYPE_MALICIOUS_FILE_UPLOAD")} { HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set response "Apology PageWe are sorry,\ but the site you are looking for is temporarily out of service\ If you feel you have reached this page in error, please try again." ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response } } However it seems that iRule is not triggering at all. Any idea what I am missing here? Thank you, Darshan442Views0likes6Commentsneed to exclude certain files
Hi, I have an IRULE that sends people to a 404 page when there is a violation of "illegal URL". Now I was given a second request that I should exclude all URLs leading to PDF files and instead redirect them to a different page. I have been trying to combine this second redirect request with and ELSE option but so far am unsuccessful. Adding a second IRULE won't work. This is my IRULE: when HTTP_REQUEST { set asm_404_not_found 0 } when ASM_REQUEST_BLOCKING { set asm_info [ASM::violation_data] Any response tweaking should only be done in blocking mode!!! if {[string compare [ASM::status] "blocked"] == 0} { if {[string first {VIOLATION_OBJ_DOESNT_EXIST} [lindex $asm_info 0]] != -1} { set asm_404_not_found 1 ASM::disable TCP::close } } } when HTTP_RESPONSE_RELEASE { if {$asm_404_not_found == 1} { HTTP::respond 301 Location "https://www.site.com/404.aspx" } } Any ideas? (sorry for the horrible formatting) Thanks, Vered401Views0likes1Comment