Forum Discussion
Mike_Maher
Mar 22, 2013Nimbostratus
Ok so I have come with a basic construct of an iRule to handle a couple of options for the Virus detected violation. In this particular version I am removing the malicious file from the request inserting a line in the header and passing it to the web server so the application owner can reply with whatever they like. If someone could take a look over this and see if I am making any mistakes and if I am interpreting the ASM:payload command correctly.
You could also do away with the ASM:payload and header insert and just do a custom response here as well.
when ASM_REQUEST_BLOCKING
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "ATTACK_TYPE_MALICIOUS_FILE_UPLOAD")}
{
ASM::payload replace 0 0 ""
HTTP::header insert x-asm-violation ["Virus Found"]
}
}