Different Blocking pages for different violation?

Hi,

 

we use ICAP, too. And you are right, there is no way to set a dedicated blocking page for a "virus found" violation.

 

In my opinion, it has a good site, too. If it is a free webpage, without user authentication, and you have a dedicated response page for virus found detection, a user could test different viruses until he found one, which is going through on a easy way. If you don't have this blocking page, it is a little bit in the dark, why the request is blocked.

 

 

Too your options:

 

1. Here you have the problem, that any other violation raise the same blocking page. So if it is a form, where the user set an invalid parameter and an attack signature hit and you respond with a virus found blocking page, he will be confused.

 

2. I tried something like that in the past, but didn't get it working. I think, it isn't possible to set another response page, here. Perhaps, you could set an irule value here and check this value at HTTP_RESPONSE event. But if I understand the wiki correctly, the event HTTP_RESPONSE isn't raised by a locally generated event.

 

It isn't possible to get the violation data down to the web server, because it is blocked. The only way would be, to let it through (not blocking).

 

 

A possible solution could be:

 

remove blocking setting for virus detection

 

remove the file, if there is a virus detected, and set a http header or replace the file by a dummy string

 

programming the web page to do something, if the header or the dummy string is found --> redirect to a virus blocking page

 

 

If you found a solution, I would be happy :-)

 

 

regards

 

Ok so I have come with a basic construct of an iRule to handle a couple of options for the Virus detected violation. In this particular version I am removing the malicious file from the request inserting a line in the header and passing it to the web server so the application owner can reply with whatever they like. If someone could take a look over this and see if I am making any mistakes and if I am interpreting the ASM:payload command correctly.

 

 

You could also do away with the ASM:payload and header insert and just do a custom response here as well.

 

 

when ASM_REQUEST_BLOCKING

 

{

 

 

set x [ASM::violation_data]

 

 

for {set i 0} { $i < 7 } {incr i} {

 

switch $i {

 

0 { log local0. "violation=[lindex $x $i]" }

 

1 { log local0. "support_id=[lindex $x $i]" }

 

2 { log local0. "web_application=[lindex $x $i]" }

 

3 { log local0. "severity=[lindex $x $i]" }

 

4 { log local0. "source_ip=[lindex $x $i]" }

 

5 { log local0. "attack_type=[lindex $x $i]" }

 

6 { log local0. "request_status=[lindex $x $i]" }

 

 

}}

 

 

if {([lindex $x 0] contains "ATTACK_TYPE_MALICIOUS_FILE_UPLOAD")}

 

{

 

 

 

ASM::payload replace 0 0 ""

 

 

HTTP::header insert x-asm-violation ["Virus Found"]

 

}

 

 

}

 

 

Another thought I have but I have not found a way to make work yet, is there a way for me to just remove the whole request and redirect to a certian URL and then insert something in the header or query string that tells the web server what kind of violation it is and allow the application owner to make a decision on what block page to display.

Perhaps something like this??

 

 

when ASM_REQUEST_VIOLATION

 

{

 

set x [ASM::violation_data]

 

 

for {set i 0} { $i < 7 } {incr i} {

 

switch $i {

 

0 { log local0. "violation=[lindex $x $i]" }

 

1 { log local0. "support_id=[lindex $x $i]" }

 

2 { log local0. "web_application=[lindex $x $i]" }

 

3 { log local0. "severity=[lindex $x $i]" }

 

4 { log local0. "source_ip=[lindex $x $i]" }

 

5 { log local0. "attack_type=[lindex $x $i]" }

 

6 { log local0. "request_status=[lindex $x $i]" }

 

 

}}

 

 

set violation [lindex $x 0]

 

 

HTTP::uri "/error_handling/asmviolation.action?violation=$violation"

 

 

 

Yes yes I forgot some brackets 🙂

when ASM_REQUEST_VIOLATION
{
  set x [ASM::violation_data]

  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }

   }}  
{
   set violation [lindex $x 0]
   
HTTP::uri "/error_handling/asmviolation.action?violation=$violation"
   

}
}
 

The payload replacement doesn't work?

 

What happens, if another violation is inside the request at the same time? i.e. there is a sql attack and a virus inside the same request.

 

Will it be blocked or is it let through to the server, because of the redirect inside the violation event.

 

The violation event is triggered before the Blocking event, I think.

Are you stating the payload replace doesn't work or asking?

 

 

Good question I will have to look into that. I would assume it will block which is what I would want it to do.

I only asked for the payload replacement, because its not in your last message ;-)