jba3126
Sep 19, 2017Cirrus
iRule that triggers a capture of the HTTP request before rejecting
I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header. So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block. Is there a way to trigger a method to capture and log the full request when we get a match and send the 410?
Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients
when HTTP_REQUEST {
if {[HTTP::header "X-Forwarded-For"] ne ""}{
log local0. "XFF: [HTTP::header "X-Forwarded-For"]"
foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {
log local0. "Current XFF element: $xff"
if {[IP::addr $xff equals 1.2.3.4]}{
log local0. "Sending 410 for $xff"
HTTP::respond 410
break
}
}
}
}