ASM::violation

Description¶

This command exposes the fields below using a multiple buffers instance

Note: Starting version 11.5.0 this command is replaced by the commands ASM::violation, ASM::support_id, ASM::severity and ASM::client_ip which have more convenient syntax and enhanced options. It is kept for backward compatibility.

#Position	Field	Description
0	Violation	string that contains list of comma separated violations, see below the rquest side and response side violations for value options
1	support_id	Unique id given for a transaction
2	web_application	ASM Web application name
3	Severity	it will be the most critical severity of all the transaction violations, possible values: Emergency, Alert, Critical, Error, Warning, Notice and Informational
4	source_ip	Client IP. (in case trust xff option is enabled on the policy, this will be the xff ip
5	attack_type	string that contains list of comma separated attack types, see below for value options
6	request_status	Can be “blocked” or “alarmed”

Request Side Violations Table¶

Violation Name	Description
VIOLATION_EVASION_DETECTED	Evasion technique detected
VIOLATION_REQUEST_TOO_LONG	Request length exceeds defined buffer size
VIOLATION_ILLEGAL_INGRESS_OBJECT	Login URL bypassed
VIOLATION_ILLEGAL_GEOLOCATION	Access from disallowed Geolocation
VIOLATION_PARSER_EXPIRED_INGRESS_OBJECT	Login URL expired
VIOLATION_RESPONSE_SCRUBBING	response scrubbing
VIOLATION_ILLEGAL_SOAP_ATTACHMENT	Illegal attachment in SOAP message
VIOLATION_MISSING_MANDATORY_HEADER	Mandatory HTTP header is missing
VIOLATION_HTTP_SANITY_CHECK_FAILED	HTTP protocol compliance failed
VIOLATION_CHAR_CONV	Failed to convert character
VIOLATION_MALFORMED_XML	Malformed XML data
VIOLATION_XML_WSDL	XML data does not comply with schema or WSDL document
VIOLATION_XML_FORMAT_SETTING	XML data does not comply with format settings
VIOLATION_PARSER_FAILED_SOAP_SECURITY	Soap security parser failed
VIOLATION_SOAP_METHOD_NOT_ALLOWED	SOAP method not allowed
VIOLATION_BRUTE_FORCE_ATTACK_DETECTED	Maximum login attempts are exceeded
VIOLATION_WEB_SCRAPING_DETECTED	Web scraping detection
VIOLATION_OBJ_LEN	Illegal URL length
VIOLATION_COOKIE_LEN	Illegal cookie length
VIOLATION_REQ_LEN	Illegal request length
VIOLATION_QS_LEN	Illegal query string length
VIOLATION_POST_DATA_LEN	Illegal POST data length
VIOLATION_MULTI_PART_PARAM_VAL	Null in multi-part parameter value
VIOLATION_HEADER_LEN	Illegal header length
VIOLATION_METACHAR_IN_OBJ	Illegal meta character in URL
VIOLATION_METACHAR_IN_PARAM_NAME	Illegal meta character in parameter name
VIOLATION_METACHAR_IN_DEF_PARAM	Illegal meta character in parameter value
VIOLATION_OBJ_TYPE	Illegal file type
VIOLATION_OBJ_DOESNT_EXIST	Non-existent URL
VIOLATION_FLOW_TO_OBJ	Illegal flow to URL
VIOLATION_ILLEGAL_METHOD	Illegal method
VIOLATION_SESSSION_ID_IN_URL	Illegal session ID in URL
VIOLATION_QS_OR_POST_DATA	Illegal query string or POST data
VIOLATION_PARAM	Illegal parameter
VIOLATION_EMPTY_PARAM_VALUE	Illegal empty parameter value
VIOLATION_STATIC_PARAM_VALUE	Illegal static parameter value
VIOLATION_DYN_PARAM_VALUE	Illegal dynamic parameter value
VIOLATION_PARAM_VALUE_LEN	Illegal parameter value length
VIOLATION_PARAM_DATA_TYPE	Illegal parameter data type
VIOLATION_PARAM_NUMERIC_VALUE	Illegal parameter numeric value
VIOLATION_ATTACK_SIGNATURE_DETECTED	Attack signature detected
VIOLATION_NUM_OF_MANDATORY_PARAMS	Illegal number of mandatory parameters
VIOLATION_PARAM_VALUE_NOT_MATCHING_REGEX	Parameter value does not comply with regular expression
VIOLATION_MOD_ASM_COOKIE	Modified ASM cookie
VIOLATION_MOD_DOMAIN_COOKIE	Modified domain cookie(s)
VIOLATION_NOT_RFC_COOKIE	Cookie not RFC-compliant
VIOLATION_ENTRY_POINT	Illegal entry point
VIOLATION_MSG_KEY	ASM Cookie Highjacking
VIOLATION_EXPIRED_TIMESTAMP	Expired timestamp
VIOLATION_METACHAR_IN_HEADER	Illegal meta character in header
VIOLATION_HTTP_STATUS_IN_RESPONSE	Illegal response http status code
VIOLATION_DOS_ATTACK_STARTED	Dos attack detected

Response Side Violations Table¶

Violation Name	Description
VIOLATION_RESPONSE_SCRUBBING	Information leakage detected
VIOLATION_HTTP_STATUS_IN_RESPONSE	Illegal HTTP status in response
VIOLATION_ATTACK_SIGNATURE_DETECTED	Attack signature detected
VIOLATION_DOS_ATTACK_STARTED	Dos attack detected

Attack-Type Table¶

The attack type field can have the following value

Attack-Type Name	Description
ATTACK_TYPE_REMOTE_FILE_INCLUDE	Remote File Include
ATTACK_TYPE_NON_BROWSER_CLIENT	Non-browser client
ATTACK_TYPE_OTHER_APPLICATION_ATTACKS	Other Application Attacks
ATTACK_TYPE_TROJAN_BACKDOOR_SPYWARE	Trojan/Backdoor/Spyware
ATTACK_TYPE_DETECTION_EVASION	Detection Evasion
ATTACK_TYPE_VULNERABILITY_SCAN	Vulnerability Scan
ATTACK_TYPE_ABUSE_OF_FUNCTIONALITY	Abuse of Functionality
ATTACK_TYPE_AUTHENTICATION_AUTHORIZATION_ATTACKS	Authentication/Authorization Attacks
ATTACK_TYPE_BUFFER_OVERFLOW	Buffer Overflow
ATTACK_TYPE_PREDICTABLE_RESOURCE_LOCATION	Predictable Resource Location
ATTACK_TYPE_INFORMATION_LEAKAGE	Information Leakage
ATTACK_TYPE_DIRECTORY_INDEXING	Directory Indexing
ATTACK_TYPE_PATH_TRAVERSAL	Path Traversal
ATTACK_TYPE_XPATH_INJECTION	XPath
ATTACK_TYPE_LDAP_INJECTION	LDAP Injection
ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION	Server Side Code Injection
ATTACK_TYPE_COMMAND_EXECUTION	Command Execution
ATTACK_TYPE_SQL_INJECTION	SQL-Injection
ATTACK_TYPE_CROSS_SITE_SCRIPTING	Cross Site Scripting (XSS)
ATTACK_TYPE_DENIAL_OF_SERVICE	Denial of Service
ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY	Other Application Activity
ATTACK_TYPE_HTTP_PARSER_ATTACK	HTTP Parser Attack
ATTACK_TYPE_HTTP_REQUEST_SMUGGLING_ATTACK	Request smuggling attack
ATTACK_TYPE_FORCEFUL_BROWSING	Forceful Browsing
ATTACK_TYPE_BRUTE_FORCE_ATTACK	Brute Force Attack
ATTACK_TYPE_INJECTION_ATTEMPT	Injection Attempt
ATTACK_TYPE_PARAMETER_TAMPERING	Parameter Tampering
ATTACK_TYPE_XML_PARSER_ATTACK	XML Parser Attack
ATTACK_TYPE_SESSION_HIJACKING	Session Hijacking
ATTACK_TYPE_HTTP_RESPONSE_SPLITTING_ATTACK	Http response splitting attack
ATTACK_TYPE_WEB_SCRAPING	Web scraping
ATTACK_TYPE_DOS_ATTACK_STARTED	Dos attack started
ATTACK_TYPE_MALICIOUS_FILE_UPLOAD	Virus upload

Syntax¶

ASM::violation_data

ASM::violation_data¶

Returns the list of violations data

Examples¶

when ASM_REQUEST_VIOLATION
{
    set x [ASM::violation_data]

    foreach i $x {
      log local0. "i=$i"
    }
}

when ASM_REQUEST_VIOLATION
{
  set x [ASM::violation_data]

  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }

   }}

   if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
   {
      log local0. "VIOLATION_EVASION_DETECTED detected, uri=[HTTP::uri]"
      log local0. "Decided to sanitize headers"
      HTTP::header sanitize
      HTTP::header insert header_1 value_1
      ASM::payload replace 0 0 "1234567890"
   } else {
      log local0. "violation=[lindex $x 0]"
      log local0. "Decided to route is to different pool"
      HTTP::uri /index.php
      pool phpauction
   }
}

Related Information¶

Valid Events:

ASM_REQUEST_BLOCKING, ASM_REQUEST_VIOLATION, ASM_RESPONSE_VIOLATION

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code:

Introduced: BIGIP-10.1

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.