ltm rule event ASM REQUEST VIOLATION
iRule(1) BIG-IP TMSH Manual iRule(1)
ASM_REQUEST_VIOLATION
Triggered when ASM detects that a request violates an ASM security policy.
DESCRIPTION
Triggered when ASM detects that a request violates an ASM security policy.
Examples
This example logs the received violation data. It also modifies the headers and payload of the request in case of evasion violation (a clientside violation) else it redirects the request to another destination.
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
{
log local0. "VIOLATION_EVASION_DETECTED detected, uri=[HTTP::uri]"
HTTP::header insert header_1 value_1
ASM::payload replace 0 0 "1234567890"
} else {
log local0. "violation=[lindex $x 0]"
log local0. "Decided to route is to different pool"
HTTP::uri /index.php
pool phpauction
}
}
HINTS
Note: This event, while still working in 11.5, is deprecated. It has been replaced by ASM_REQUEST_DONE.
SEE ALSO
CHANGE LOG
@BIGIP-10.1.0 --First introduced the event. @BIGIP-11.5.0 --Deprecated - Please use ASM_REQUEST_DONE
BIG-IP 2022-04-12 iRule(1)