ShellShock iRule

Question

Hey Everyone,
I am wondering if it is possible to modify the existing shellshock irule to log both source and destination IPs. I am sure there is but I am no TCL expert so any help would be appreciated.&nbsp;
when HTTP_REQUEST {
  if { [string match "() {;}" [HTTP::request]] } {
    log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]'; URI = '[HTTP::uri]'";
    reject;
  }
}&nbsp;

chris_g_01_1415 · Answer

So after much trial and error I think I got it. If anyone would like to try and validate that would be nice for anyone trying to do the same.&nbsp;
when HTTP_REQUEST {
  if { [string match "() {;}" [HTTP::request]] } {
    log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]'; destination '[IP::local_addr]'; URI = '[HTTP::uri]'";
    reject;
  }
}&nbsp;

what_lies_bene1 · Answer

Chris,&nbsp;
I don't see any issues with what you've done but note the 'official' rule and the comments around it here: https://devcentral.f5.com/articles/shellshock-mitigation-with-big-ip-irules&nbsp;

Forum Discussion

ShellShock iRule

2 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Chrome V 124+ on MacOS - Virtual Server Access Issue

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Related Content

iRULE regsub error

owa iapp assign irule

Irule Trigger two times

iRule assistance for subfolder redirect

IRule to select IRule doesn't work even if the condition triggers