Logging a Layer 7 DoS attacker IP through an iRule

Here is an Irule that not only logs the client IP address, but also the HOST, URI, and VIP address

 

(FYI, Im using 10.2.1 code)

 

 

rule ASM_DOS_LOG_RULE {

 

when CLIENT_ACCEPTED

 

{

 

set vip "[IP::local_addr clientside]:[TCP::local_port clientside]"

 

}

 

 

when HTTP_REQUEST

 

{

 

set client_request [HTTP::uri]

 

set host_head [HTTP::host]

 

}

 

 

when ASM_REQUEST_VIOLATION

 

{

 

set x [ASM::violation_data]

 

if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}

 

{

 

log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques

 

t, Client IP=[lindex $x 4]"

 

}

 

}

 

when ASM_RESPONSE_VIOLATION

 

{

 

set x [ASM::violation_data]

 

if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}

 

{

 

log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques

 

t, Client IP=[lindex $x 4]"

 

}

 

}

 

when ASM_REQUEST_BLOCKING

 

{

 

set x [ASM::violation_data]

 

if {([lindex $x 0] contains "VIOLATION_DOS_ATTACK") or ([lindex $x 5] contains "VIOLATION_DOS_ATTACK")}

 

{

 

log local0. "VIOLATION_DOS_ATTACK detected in ASM_REQUEST_VIOLATION, Web App=[lindex $x 2], VIP=$vip, HOST=$host_head, URI=$client_reques

 

t, Client IP=[lindex $x 4]"

 

}

 

}

 

}