Something like this:
when ASM_REQUEST_DONE {
set uri [HTTP::uri]
foreach violation [ASM::violation names] {
if { $uri starts_with "/login.php" && [ASM::violation count] < 2 } {
foreach attack [ASM::violation attack_types] {
switch $attack {
"ATTACK_TYPE_HTTP_REQUEST_SMUGGLING_ATTACK" -
"ATTACK_TYPE_HTTP_PARSER_ATTACK" {
log local0. "Violation: $violation and attack: $attack detected for URI $uri, but allowed anyway."
ASM::unblock
}
}
}
} else {
# More than one violation, too dangerous to Unblock
return
}
}
}
BTW, this is the way to test with curl if you want to send an empty HTTP header:
curl -v http://10.23.98.101/login.php -H "If-None-Match;"