ASM_REQUEST_VIOLATION

Description

Triggered when ASM detects that a request violates an ASM security policy.
Note: This event, while still working in 11.5, is deprecated. It has been replaced by ASM_REQUEST_DONE.

Examples

This example logs the received violation data. It also modifies the headers and payload of the request in case of evasion violation (a clientside violation) else it redirects the request to another destination.
when ASM_REQUEST_VIOLATION
{
  set x [ASM::violation_data]

  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }

   }}

   if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
   {
      log local0. "VIOLATION_EVASION_DETECTED detected, uri=[HTTP::uri]"
      HTTP::header insert header_1 value_1
      ASM::payload replace 0 0 "1234567890"
   } else {
      log local0. "violation=[lindex $x 0]"
      log local0. "Decided to route is to different pool"
      HTTP::uri /index.php
      pool phpauction
   }
}