iRule that triggers a capture of the HTTP request before rejecting

Question

I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header.  So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block.  Is there a way to trigger a method to capture and log the full request when we get a match and send the 410?
Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients
when HTTP_REQUEST {

if {[HTTP::header "X-Forwarded-For"] ne ""}{

log local0. "XFF: [HTTP::header "X-Forwarded-For"]"

foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {

log local0. "Current XFF element: $xff"

if {[IP::addr $xff equals 1.2.3.4]}{
            log local0. "Sending 410 for $xff"
            HTTP::respond 410
            break
         }
      }
   }
}

rob_carr · Answer

Why not let the request go through to ASM, block it there where you can log all illegal requests, then intercept the blocking response and re-write it to a 410?&nbsp;

stanislas_piro2 · Answer

Hi,
You can log output from command :
[HTTP::request]

This command returns the whole request!

Forum Discussion

iRule that triggers a capture of the HTTP request before rejecting

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

DevCentral Connects hosts Capture the Flag!

Automating Packet Captures on BIG-IP

Leveraging Ansible Rulebooks for Streamlined Event Triggers: Advantages and Benefits