I need to customize the blocking page by adding the name of the block. Not all violations, only what the user can understand, for example, if there is a meta character in value, and so on. This will help us a lot, so the client will know what the reason for the block is so that they can fix it immediately, for example, not using characters in the value.
I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation. look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html
But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you.
That doesn't make sense to do such this solution really , that's my opinion.
you can use this iRule, it's pretty verbose. And I totally agree with @Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker.
when ASM_REQUEST_BLOCKING {
set x [ASM::violation_data]
#marker bit to handle header change
set activeViolation 1
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { set violation "violation=[lindex $x $i]" }
1 { set support_id "support_id=[lindex $x $i]" }
2 { set web_application "web_application=[lindex $x $i]" }
3 { set severity "severity=[lindex $x $i]" }
4 { set source_ip "source_ip=[lindex $x $i]" }
5 { set attack_type "attack_type=[lindex $x $i]" }
6 { set request_status "request_status=[lindex $x $i]" }
}
}
set response "<html><head><title>Request Rejected</title></head>\
<body>The requested URL was rejected. Please consult with your administrator.<br><br>\
Your support ID is: $support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>\
Your $violation<br>\
Your $web_application<br>\
Your $severity<br>\
Your $source_ip<br>\
Your $attack_type<br>\
Your $request_status<br></body></html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
when HTTP_RESPONSE_RELEASE {
#catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
catch {
#do only if previous was event ASM_REQUEST_BLOCKING
if { $activeViolation } {
#modify respose header
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
}
}
}
You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example:
if { [class match [IP::client_addr] equals private_net] } { do this stuff }
And you should do a performance test of this iRule. I actually never did that 🤔
I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation. look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html
But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you.
That doesn't make sense to do such this solution really , that's my opinion.
you can use this iRule, it's pretty verbose. And I totally agree with @Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker.
when ASM_REQUEST_BLOCKING {
set x [ASM::violation_data]
#marker bit to handle header change
set activeViolation 1
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { set violation "violation=[lindex $x $i]" }
1 { set support_id "support_id=[lindex $x $i]" }
2 { set web_application "web_application=[lindex $x $i]" }
3 { set severity "severity=[lindex $x $i]" }
4 { set source_ip "source_ip=[lindex $x $i]" }
5 { set attack_type "attack_type=[lindex $x $i]" }
6 { set request_status "request_status=[lindex $x $i]" }
}
}
set response "<html><head><title>Request Rejected</title></head>\
<body>The requested URL was rejected. Please consult with your administrator.<br><br>\
Your support ID is: $support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>\
Your $violation<br>\
Your $web_application<br>\
Your $severity<br>\
Your $source_ip<br>\
Your $attack_type<br>\
Your $request_status<br></body></html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
when HTTP_RESPONSE_RELEASE {
#catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
catch {
#do only if previous was event ASM_REQUEST_BLOCKING
if { $activeViolation } {
#modify respose header
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
}
}
}
You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example:
if { [class match [IP::client_addr] equals private_net] } { do this stuff }
And you should do a performance test of this iRule. I actually never did that 🤔
