Forum Discussion
I've also done some basic testing and was able trigger a blocking page based on the ADAPT::result value as described by Michael above, nice one Michael.
I also wanted to log info why the ICAP request was blocked in ASM. To do this I've added an irule to the Internal VS to capture the ICAP header that indicates the block reason. To be able to pass this variable from the internal VS irule to the HTTP VS irule I needed to create a session table variable. Other thing I needed to do was a way to make this variable unique for each request and accessible by both irules. To do this I inserted a HTTP header at the start with a unique ID and on the ICAP server mapped this through to an ICAP Response header therefore making it available to the Int VS irule for setting the table name. Then when raising the violation I was able to add in the extra info.
The irules I used are below;
HTTP VS
when HTTP_REQUEST {
if {[HTTP::method] ne "POST"} {
ADAPT::enable request false
} else {
set uid [expr {int(rand()*1e9)}]
HTTP::header insert ICAP_UID $uid
log local0. "$uid Sending to ICAP server"
}
}
when ADAPT_REQUEST_RESULT {
log local0. "$uid ICAP Response is [ADAPT::result]"
if { ([ADAPT::result] contains "respond") } {
set icap_blocked 1
ADAPT::result bypass
} else {
set icap_blocked 0
}
}
when ASM_REQUEST_DONE {
if { [info exists icap_blocked] && $icap_blocked == 1 } {
set x []
set y []
lappend y "description" "[ table lookup $uid ]"
lappend x $y
log local0. "$uid Raise AV_BLOCK $x [ASM::raise AV_BLOCK $x]"
set icap_blocked 0
table delete $uid
HTTP::header remove ICAP_UID
}
}
Internal ICAP VS
when ICAP_RESPONSE {
if { [ICAP::header exists X-Virus-Name] } {
table set [ICAP::header value ICAP_UID] [ICAP::header value X-Virus-Name]
log local0. "Table name is [ICAP::header value ICAP_UID] value is [table lookup [ICAP::header value ICAP_UID]]"
}
}
This allowed for the block reason details to be displayed;