ltm rule event ASM REQUEST BLOCKING
iRule(1) BIG-IP TMSH Manual iRule(1)
ASM_REQUEST_BLOCKING
Triggered when ASM is generating the reject-response and gives the
iRule a chance to modify that reject-response before it is sent.
DESCRIPTION
This event is triggered when ASM is generating the reject-response and
gives the iRule a chance to modify that reject-response before it is
sent.
Examples
This example modifies the ASM reject page when the evasion detected(a client side violation) is triggered by ASM.
when ASM_REQUEST_BLOCKING
{
set x [ASM::violation_data]
#marker bit to handle header change
set activeViolation 1
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
{
log local0. "VIOLATION_EVASION_DETECTED detected, let's customized reject page"
#this really does not work like this
#HTTP::header remove Content-Length
#HTTP::header insert header_1 value_1
set response "Apology PageWe are sorry,\
but the site you are looking for is temporarily out of service\
If you feel you have reached this page in error, please try again."
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
}
when HTTP_RESPONSE_RELEASE {
#catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
catch {
#do only if previous was event ASM_REQUEST_BLOCKING
if { $activeViolation } {
#modify respose header
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
}
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-10.1.0 --First introduced the event.
BIG-IP 2017-01-31 iRule(1)