Forum Discussion

2funky_105078's avatar
Feb 26, 2018

ASM: insert header when a virus is found

Hello,

I tried to configure a iRule to add a HTTP header in the POST request which uploads a file to an origin server.

This HTTP header should contain the ASM support ID only when there is a virus detected via ICAP, but it should NOT block the client request. I also configured in ASM policy "Trigger ASM iRule Events" in Normal Mode. I am using 12.1.2.

Do you have an idea?

I tried this but the HTTP header is not inserted (but i get a log message that the virus was found... Feb 26 17:48:38 bigip info tmm[23970]: Rule /Common/AV : VIOLATION_VIRUS_DETECTED detected, uri=/virus.php)

when ASM_REQUEST_VIOLATION
{
   if {([ASM::violation_data] contains "VIOLATION_VIRUS_DETECTED")}
   {
      log local0. "VIOLATION_VIRUS_DETECTED detected, uri=[HTTP::uri]"
      set supp_id [ASM::support_id]
   } 
}

when HTTP_REQUEST_RELEASE {
    if {[info exists supp_id]} {
        HTTP::header insert X-ASM-SUPPORT-ID "VIRUS DETECTEED and support ID $supp_id"
    }
}
  • HTTP::header commands are not valid in HTTP_REQUEST_RELEASE

    Change the event to HTTP_REQUEST_SEND and the context to clientside

    HTTP_REQUEST_SEND

    when HTTP_REQUEST_SEND {
        if {[info exists supp_id]} {
            clientside {
              HTTP::header insert X-ASM-SUPPORT-ID "VIRUS DETECTED and support ID $supp_id"
            }
        }
    }
    
  • Thanks for your time looking at my question. I tried but it did not work.

    Anyway i found this and it's OK.

    when ASM_REQUEST_DONE
     {
        log local0.debug "\[ASM::status\] = [ASM::status]" 
        if { ([ASM::status] equals "alarmed") && ([ASM::violation_data] contains "VIOLATION_VIRUS_DETECTED") } {
                set x [ASM::violation_data]
                HTTP::header insert X-ASM "violation=[lindex $x 0] supportid=[lindex $x 1]"
                log local0.debug "DEBUG02: violation=[lindex $x 0] supportid=[lindex $x 1]"
                }
    }