ltm rule command ASM violation data
iRule(1) BIG-IP TMSH Manual iRule(1)
ASM::violation_data
This command exposes violation data using a multiple buffers instance.
SYNOPSIS
ASM::violation_data
DESCRIPTION
This command exposes violation data using a multiple buffers instance.
Note: Starting version 11.5.0 this command is deprecated and replaced
by ASM::violation, ASM::support_id, ASM::severity and ASM::client_ip,
which have more convenient syntax and enhanced options. It is kept for
backward compatibility.
#Position Field Description 0 Violation String that
contains list of comma separated violations, see below the rquest side
and response side violations for value options 1 support_id
Unique id given for a transaction 2 web_application ASM Web
application name 3 Severity The most critical severity of
all the transaction violations, possible values: Emergency, Alert,
Critical, Error, Warning, Notice and Informational 4 source_ip
Client IP. (in case trust xff option is enabled on the policy, this
will be the xff ip 5 attack_type String that contains list of
comma separated attack types, see below for value options 6
request_status Can be "blocked" or "alarmed"
Request Side Violations Table
Violation Name Description
VIOLATION_EVASION_DETECTED Evasion technique detected
VIOLATION_REQUEST_TOO_LONG Request length exceeds defined buffer size
VIOLATION_ILLEGAL_INGRESS_OBJECT Login URL bypassed
VIOLATION_PARSER_EXPIRED_INGRESS_OBJECT Login URL expired
VIOLATION_RESPONSE_SCRUBBING response scrubbing
VIOLATION_ILLEGAL_SOAP_ATTACHMENT Illegal attachment in SOAP message
VIOLATION_MISSING_MANDATORY_HEADER Mandatory HTTP header is missing
VIOLATION_HTTP_SANITY_CHECK_FAILED HTTP protocol compliance failed
VIOLATION_CHAR_CONV Failed to convert character
VIOLATION_MALFORMED_XML Malformed XML data
VIOLATION_XML_WSDL XML data does not comply with schema or WSDL document
VIOLATION_XML_FORMAT_SETTING XML data does not comply with format settings
VIOLATION_PARSER_FAILED_SOAP_SECURITY Soap security parser failed
VIOLATION_SOAP_METHOD_NOT_ALLOWED SOAP method not allowed
VIOLATION_BRUTE_FORCE_ATTACK_DETECTED Maximum login attempts are exceeded
VIOLATION_WEB_SCRAPING_DETECTED Web scraping detection
VIOLATION_OBJ_LEN Illegal URL length
VIOLATION_COOKIE_LEN Illegal cookie length
VIOLATION_REQ_LEN Illegal request length
VIOLATION_QS_LEN Illegal query string length
VIOLATION_POST_DATA_LEN Illegal POST data length
VIOLATION_MULTI_PART_PARAM_VAL Null in multi-part parameter value
VIOLATION_HEADER_LEN Illegal header length
VIOLATION_METACHAR_IN_OBJ Illegal meta character in URL
VIOLATION_METACHAR_IN_PARAM_NAME Illegal meta character in parameter name
VIOLATION_METACHAR_IN_DEF_PARAM Illegal meta character in parameter value
VIOLATION_OBJ_TYPE Illegal file type
VIOLATION_OBJ_DOESNT_EXIST Non-existent URL
VIOLATION_FLOW_TO_OBJ Illegal flow to URL
VIOLATION_ILLEGAL_METHOD Illegal method
VIOLATION_SESSSION_ID_IN_URL Illegal session ID in URL
VIOLATION_QS_OR_POST_DATA Illegal query string or POST data
VIOLATION_PARAM Illegal parameter
VIOLATION_EMPTY_PARAM_VALUE Illegal empty parameter value
VIOLATION_STATIC_PARAM_VALUE Illegal static parameter value
VIOLATION_DYN_PARAM_VALUE Illegal dynamic parameter value
VIOLATION_PARAM_VALUE_LEN Illegal parameter value length
VIOLATION_PARAM_DATA_TYPE Illegal parameter data type
VIOLATION_PARAM_NUMERIC_VALUE Illegal parameter numeric value
VIOLATION_ATTACK_SIGNATURE_DETECTED Attack signature detected
VIOLATION_NUM_OF_MANDATORY_PARAMS Illegal number of mandatory parameters
VIOLATION_PARAM_VALUE_NOT_MATCHING_REGEX Parameter value does not comply with regular expression
VIOLATION_MOD_ASM_COOKIE Modified ASM cookie
VIOLATION_MOD_DOMAIN_COOKIE Modified domain cookie(s)
VIOLATION_NOT_RFC_COOKIE Cookie not RFC-compliant
VIOLATION_ENTRY_POINT Illegal entry point
VIOLATION_MSG_KEY ASM Cookie Highjacking
VIOLATION_EXPIRED_TIMESTAMP Expired timestamp
VIOLATION_METACHAR_IN_HEADER Illegal meta character in header
VIOLATION_HTTP_STATUS_IN_RESPONSE Illegal response http status code
VIOLATION_DOS_ATTACK_STARTED Dos attack detected
Response Side Violations Table
Violation Name Description
VIOLATION_RESPONSE_SCRUBBING Information leakage detected
VIOLATION_HTTP_STATUS_IN_RESPONSE Illegal HTTP status in response
VIOLATION_ATTACK_SIGNATURE_DETECTED Attack signature detected
VIOLATION_DOS_ATTACK_STARTED Dos attack detected
Attack-Type Table
The attack type field can have the following value
Attack-Type Name Description
ATTACK_TYPE_REMOTE_FILE_INCLUDE Remote File Include
ATTACK_TYPE_NON_BROWSER_CLIENT Non-browser client
ATTACK_TYPE_OTHER_APPLICATION_ATTACKS Other Application Attacks
ATTACK_TYPE_TROJAN_BACKDOOR_SPYWARE Trojan/Backdoor/Spyware
ATTACK_TYPE_DETECTION_EVASION Detection Evasion
ATTACK_TYPE_VULNERABILITY_SCAN Vulnerability Scan
ATTACK_TYPE_ABUSE_OF_FUNCTIONALITY Abuse of Functionality
ATTACK_TYPE_AUTHENTICATION_AUTHORIZATION_ATTACKS Authentication/Authorization Attacks
ATTACK_TYPE_BUFFER_OVERFLOW Buffer Overflow
ATTACK_TYPE_PREDICTABLE_RESOURCE_LOCATION Predictable Resource Location
ATTACK_TYPE_INFORMATION_LEAKAGE Information Leakage
ATTACK_TYPE_DIRECTORY_INDEXING Directory Indexing
ATTACK_TYPE_PATH_TRAVERSAL Path Traversal
ATTACK_TYPE_XPATH_INJECTION XPath
ATTACK_TYPE_LDAP_INJECTION LDAP Injection
ATTACK_TYPE_SERVER_SIDE_CODE_INJECTION Server Side Code Injection
ATTACK_TYPE_COMMAND_EXECUTION Command Execution
ATTACK_TYPE_SQL_INJECTION SQL-Injection
ATTACK_TYPE_CROSS_SITE_SCRIPTING Cross Site Scripting (XSS)
ATTACK_TYPE_DENIAL_OF_SERVICE Denial of Service
ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY Other Application Activity
ATTACK_TYPE_HTTP_PARSER_ATTACK HTTP Parser Attack
ATTACK_TYPE_HTTP_REQUEST_SMUGGLING_ATTACK Request smuggling attack
ATTACK_TYPE_FORCEFUL_BROWSING Forceful Browsing
ATTACK_TYPE_BRUTE_FORCE_ATTACK Brute Force Attack
ATTACK_TYPE_INJECTION_ATTEMPT Injection Attempt
ATTACK_TYPE_PARAMETER_TAMPERING Parameter Tampering
ATTACK_TYPE_XML_PARSER_ATTACK XML Parser Attack
ATTACK_TYPE_SESSION_HIJACKING Session Hijacking
ATTACK_TYPE_HTTP_RESPONSE_SPLITTING_ATTACK Http response splitting attack
ATTACK_TYPE_WEB_SCRAPING Web scraping
ATTACK_TYPE_DOS_ATTACK_STARTED Dos attack started
ATTACK_TYPE_MALICIOUS_FILE_UPLOAD Virus upload
Syntax
ASM::violation_data
* Returns the list of violations data
RETURN VALUE
VALID DURING
ASM_REQUEST_BLOCKING, ASM_REQUEST_VIOLATION, ASM_RESPONSE_VIOLATION
EXAMPLES
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
foreach i $x {
log local0. "i=$i"
}
}
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
{
log local0. "VIOLATION_EVASION_DETECTED detected, uri=[HTTP::uri]"
log local0. "Decided to sanitize headers"
HTTP::header sanitize
HTTP::header insert header_1 value_1
ASM::payload replace 0 0 "1234567890"
} else {
log local0. "violation=[lindex $x 0]"
log local0. "Decided to route is to different pool"
HTTP::uri /index.php
pool phpauction
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-10.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)