For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Apr 18, 2023

Block specific Client IP if request contains XYZ

Hi, I need help creating the fastest solution (LTM Policy / iRule / other) to do this: If client IP = X.X.X.X and request contains = XYZ Drop the client / or block by WAF message Thank you! ...
security
Michael_Saleem's avatar
Michael_Saleem
Icon for MVP rankMVP
Apr 18, 2023

 

For a very quick solution to match on a single source IP and URI, you could use the following:

when HTTP_REQUEST {
    if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [string tolower [HTTP::uri]] contains "xyz" ) ) } {
        drop
    }
}

However, if you need need it to be more scalable, I would probably use a data group to hold multiple client IP addresses and then maybe another data group or switch -glob statement to match on multiple URIs.

  • CA_Valli's avatar
    CA_Valli
    Icon for MVP rankMVP
    Apr 18, 2023

    I'd just advise to avoid using "string tolower" on HTTP uri instruction, since path is case sensitive. 

    • MaxMedov's avatar
      MaxMedov
      Icon for Cirrostratus rankCirrostratus
      Apr 18, 2023

      So what is better?

      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Apr 18, 2023

        [HTTP::path] or [HTTP::query] should work just fine for exact matches on path/query parts of the uri