Forum Discussion
Mike_Maher
Mar 08, 2013Nimbostratus
So I think something like this would work
when ASM_REQUEST_VIOLATION
{
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_EVASION_DETECTED")
and ([whereis [IP::client_addr]] equals "1.2.3.4")
}
pool pool1
}
However what Evasion Tech is this request falling under? Is it the Multiple Decodings violation, if so I see that a lot and I normally just change the level from 2 to 3 as I don't really see that as a significant increase in risk to the application. My understanding of ASM is that it will decode the request anyway to see if there is an attack hiding behind obsfucation.