Forum Discussion
Yoda_34023
Nimbostratus
NimbostratusCombined Nimda/CodeRed and redirection with a wait time
Hi,
I'm trying to combine some great irules I received from the forum into a single script.
Here's my logic:
If the incoming request contains CodeRed or Nimda then log it. Send back a message to the client telling them you logged it and display their IP address (and any more information we can extract).
Now disgard the packet and then wait for 10 seconds, before redircting to the main site. (Not sure if this will work)
This is want I have done so far:
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]]
if { ($uri contains "default.ida")
or ($uri contains "cmd.exe")
or ($uri contains "root.exe")
or ($uri contains "admin.dll") }{
log local0. "Client: [IP::client_addr], requested
[HTTP::host]$uri and was discarded"
HTTP::respond 200 content "Message Title,We logged your IP do thing you should not be, your IP is [IP::client_addr]
Stop it or we will stop you
"
disgard
**** WOULD LIKE TO DISPLAY A REDIRECTING TO MAIN SITE IN 10 SECONDS, THEN REDIRECT IT ****
}
- JRahm
Admin
You could use a for loop (or nested for loops) to build in this delay, but as Colin has pointed out before, this isn't a desireable thing. Another option would be to build an unmonitored (and non-existing node) to send such connections to, tuning your tcp so that an LB_FAILED event happens around the 10s mark. Then you could do your redirect in the LB_FAILED event. Not sure either of these are desirable outcomes. 
Yoda_34023Thanks for the insight. Will wait to see if any more responses come in, then I can explore them.- Yoda_34023Tricky one. I may just have to live without the wait time.
