There were actually a few syntax and logic errors in the rule. There needs to be a space between local0. and the start of the log text. The open parenthesis shouldn't be there. And IP::server_addr is invalid in HTTP_REQUEST as no server side connection has been established. Assuming you want to check the client IP against the Host datagroup, you can try this:
when HTTP_REQUEST {
Log a debug message with client IP:port and the class contents
log local0. "[IP::client_addr]:[TCP::client_port]: class \$::badStrings: $::badStrings"
Check if the client IP is part of the hosts datagroup
if { [matchclass [IP::server_addr] equals $::Hosts]}{
Log a debug message indicating the client IP matched the Hosts class
log local0. "[IP::client_addr]:[TCP::client_port]: matched Hosts class \$::Hosts: $::Hosts"
Check if the requested URI contains any known bad strings
if { [matchclass [string tolower [HTTP::uri]] contains $::badStrings]}{
Log a debug message indicating the client matched the Host class and had a bad string in the URI
log local0. "Matched server IP and found bad string in [HTTP::uri]: entry [matchclass [string tolower [HTTP::uri]] contains $::badStrings]"
Drop the TCP connection
drop
}
}
}
I added more logging so you can follow what's happening if it doesn't work. Once you've tested the rule, you should comment out or remove the log statements to save disk space and CPU resources.
Aaron