Forum Discussion

Joachim_Roessne's avatar
Joachim_Roessne
Icon for Nimbostratus rankNimbostratus
Feb 28, 2014

HTTP::header in ASM_REQUEST_BLOCKING or ASM_REQUEST_VIOLATION

Hi,

when i try to insert a HTTP::header command in ASM_REQUEST_BLOCKING or ASM_REQUEST_VIOLATION i get an error message
Illegal argument. Can't execute in the current context.

For example
HTTP::header remove Content-Length

This should work as described in the irules wiki ASM_REQUEST_BLOCKING. Also HTTP::redirect doesnt't work.

Any ideas ? ASM-Version: BIG-IP 11.4.1 Build 635.0 Hotfix HF2

Thanks, Joachim

4 Replies

  • What sort of rules do you have defined in the Local Traffic policy for this application? Can you post the iRule and perhaps the LT policy configuration?
  • yes please provide the full information. you do have ASM irule triggering turned on for the ASM policy?
  • Hi,

    the LT policy is done by someone else. Here is the rule that is linked in the policy - if this is what you mean..

    Trigger ASM iRule Event in the ASM is turned on and active. My iRule is pretty much the same as in the example.

    when ASM_REQUEST_BLOCKING
    { 
    
      set x [ASM::violation_data]
    
      for {set i 0} { $i < 7 } {incr i} {
          switch $i {
          0         { log local0. "violation=[lindex $x $i]" }
          1         { log local0. "support_id=[lindex $x $i]" }
          2         { log local0. "web_application=[lindex $x $i]" }
          3         { log local0. "severity=[lindex $x $i]" }
          4         { log local0. "source_ip=[lindex $x $i]" }
          5         { log local0. "attack_type=[lindex $x $i]" }
          6         { log local0. "request_status=[lindex $x $i]" }
    
       }}
    
       if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")}
       {
          log local0. "VIOLATION_ATTACK_SIGNATURE_DETECTED detected, let's customized reject page"
          HTTP::header remove Content-Length
          HTTP::header insert header_1 value_1
    
          set response "Apology PageWe are sorry,\
             but the site you are looking for is temporarily out of service\
             If you feel you have reached this page in error, please try again."
    
          ASM::payload replace 0 [ASM::payload length] ""
          ASM::payload replace 0 0 $response
       }   
    }
    

    Hope this helps. THX

  • have a similar TMOS version, using 11.4.1 without hotfix, but see the same thing happening.

    when i modify the iRule like this it does what I would expect to happen, is that enough for you?

    when ASM_REQUEST_BLOCKING { 
    
      set x [ASM::violation_data]
    
      for {set i 0} { $i < 7 } {incr i} {
          switch $i {
          0         { log local0. "violation=[lindex $x $i]" }
          1         { log local0. "support_id=[lindex $x $i]" }
          2         { log local0. "web_application=[lindex $x $i]" }
          3         { log local0. "severity=[lindex $x $i]" }
          4         { log local0. "source_ip=[lindex $x $i]" }
          5         { log local0. "attack_type=[lindex $x $i]" }
          6         { log local0. "request_status=[lindex $x $i]" }
    
       }}
    
       if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")}
       {
          log local0. "VIOLATION_ATTACK_SIGNATURE_DETECTED detected, let's customized reject page"
    
          set response "We are sorry,\
             but the site you are looking for is temporarily out of service\
             If you feel you have reached this page in error, please try again."
    
           remove the current ASM payload
          ASM::payload replace 0 [ASM::payload length] ""
           insert the new payload
          ASM::payload replace 0 0 $response
           set new payload length
          set asm_payload_length [ASM::payload length]
    
       }   
    }
    
    when HTTP_RESPONSE_RELEASE {
    
      if {$asm_payload_length > 0} {
        HTTP::header remove Content-Length
        HTTP::header insert Content-Length $asm_payload_length
      }
    }
    

    the reason? perhaps it never worked or F5 stopped allowing this from 10 to 11 or when the added the HTTP_RESPONSE_RELEASE / HTTP_REQUEST_RELEASE. the iRule is a bit odd anyway, this line seems very redundant: HTTP::header insert header_1 value_1.

    it seems that with 11.5 a new event is introduced ASM_REQUEST_DONE that can be used in all cases and might support HTTP::header again. will have a look once i got 11.5 installed.

    if you can confirm the above works for you ill try to update the wiki.