ASM_REQUEST_VIOLATION¶
Description¶
Triggered when ASM detects that a request violates an ASM security
policy.
Note: This event, while still working in 11.5, is deprecated. It
has been replaced by ASM_REQUEST_DONE.
Examples¶
This example logs the received violation data. It also modifies the
headers and payload of the request in case of evasion violation (a
clientside violation) else it redirects the request to another
destination.
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
{
log local0. "VIOLATION_EVASION_DETECTED detected, uri=[HTTP::uri]"
HTTP::header insert header_1 value_1
ASM::payload replace 0 0 "1234567890"
} else {
log local0. "violation=[lindex $x 0]"
log local0. "Decided to route is to different pool"
HTTP::uri /index.php
pool phpauction
}
}