With the iRule this time.
Ended up modifying the example ASM_REQUEST_BLOCKING in the wiki to delete the rogue cookie.
when ASM_REQUEST_BLOCKING
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")}
{
log local0. "VIOLATION_ATTACK_SIGNATURE_DETECTED detected, let's customise the reject page"
HTTP::cookie remove ___utmvc
HTTP::header remove Content-Length
HTTP::header insert "Set-Cookie" "___utmvc=deleted; domain=.foo.bar; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT"
set response "Apology PageWe are sorry,\
but there was a problem processing your request, please try again."
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
}
I just hashed out the logging but it came in handy in determining the violation.