ASM_REQUEST_BLOCKING¶
Description¶
This event is triggered when ASM is generating the reject-response and
gives the iRule a chance to modify that reject-response before it is
sent.
Examples¶
This example modifies the ASM reject page when the evasion detected(a client side violation) is triggered by ASM.
when ASM_REQUEST_BLOCKING
{
set x [ASM::violation_data]
#marker bit to handle header change
set activeViolation 1
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
{
log local0. "VIOLATION_EVASION_DETECTED detected, let's customized reject page"
#this really does not work like this
#HTTP::header remove Content-Length
#HTTP::header insert header_1 value_1
set response "<html><head><title>Apology Page</title></head><body>We are sorry,\
but the site you are looking for is temporarily out of service<br>\
If you feel you have reached this page in error, please try again.</body></html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
}
when HTTP_RESPONSE_RELEASE {
#catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
catch {
#do only if previous was event ASM_REQUEST_BLOCKING
if { $activeViolation } {
#modify respose header
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
}
}
}