Forum Discussion

MaxMedov's avatar
MaxMedov
Icon for Cirrostratus rankCirrostratus
Apr 18, 2023

Block specific Client IP if request contains XYZ

Hi, I need help creating the fastest solution (LTM Policy / iRule / other) to do this: If client IP = X.X.X.X and request contains = XYZ Drop the client / or block by WAF message Thank you! ...
security
Michael_Saleem's avatar
Michael_Saleem
Icon for MVP rankMVP

 

For a very quick solution to match on a single source IP and URI, you could use the following:

when HTTP_REQUEST {
    if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [string tolower [HTTP::uri]] contains "xyz" ) ) } {
        drop
    }
}

However, if you need need it to be more scalable, I would probably use a data group to hold multiple client IP addresses and then maybe another data group or switch -glob statement to match on multiple URIs.

CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Apr 18, 2023

I'd just advise to avoid using "string tolower" on HTTP uri instruction, since path is case sensitive. 

  • MaxMedov's avatar
    MaxMedov
    Icon for Cirrostratus rankCirrostratus
    Apr 18, 2023

    So what is better?

    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP
      Apr 18, 2023

      [HTTP::path] or [HTTP::query] should work just fine for exact matches on path/query parts of the uri 

    • Michael_Saleem's avatar
      Michael_Saleem
      Icon for MVP rankMVP
      Apr 18, 2023

      If you are using a mixture of upper and lowercase letters in your URI and you need an exact match on this, then remove the [string tolower]

      when HTTP_REQUEST {
    if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [HTTP::uri] contains "XYZ" ) ) } {
        drop
    }
}