ltm rule event ASM REQUEST VIOLATIONΒΆ

iRule(1)		      BIG-IP TMSH Manual		      iRule(1)



ASM_REQUEST_VIOLATION
       Triggered when ASM detects that a request violates an ASM security
       policy.

DESCRIPTION
       Triggered when ASM detects that a request violates an ASM security
       policy.

Examples
	This example logs the received violation data. It also modifies the headers and payload of the request in case of evasion violation (a clientside violation) else it redirects the request to another destination.
	when ASM_REQUEST_VIOLATION
	{
	  set x [ASM::violation_data]

	  for {set i 0} { $i < 7 } {incr i} {
	      switch $i {
	      0 	{ log local0. "violation=[lindex $x $i]" }
	      1 	{ log local0. "support_id=[lindex $x $i]" }
	      2 	{ log local0. "web_application=[lindex $x $i]" }
	      3 	{ log local0. "severity=[lindex $x $i]" }
	      4 	{ log local0. "source_ip=[lindex $x $i]" }
	      5 	{ log local0. "attack_type=[lindex $x $i]" }
	      6 	{ log local0. "request_status=[lindex $x $i]" }

	   }}

	   if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")}
	   {
	      log local0. "VIOLATION_EVASION_DETECTED detected, uri=[HTTP::uri]"
	      HTTP::header insert header_1 value_1
	      ASM::payload replace 0 0 "1234567890"
	   } else {
	      log local0. "violation=[lindex $x 0]"
	      log local0. "Decided to route is to different pool"
	      HTTP::uri /index.php
	      pool phpauction
	   }
	}

HINTS
       Note: This event, while still working in 11.5, is deprecated. It has
       been replaced by ASM_REQUEST_DONE.

SEE ALSO
CHANGE LOG
       @BIGIP-10.1.0 --First introduced the event.  @BIGIP-11.5.0 --Deprecated
       - Please use ASM_REQUEST_DONE



BIG-IP				  2017-01-31			      iRule(1)