Forum Discussion
NimbostratusConvert LOIC client rule to an iRule
Hi, here is another one I need to be able to convert from its original formatted rule into an iRule. This one needs to alert when a LOIC client has been detected. The requirements are to check for a missing Accept-Language header; a missing Referer header; a missing Cookie header and look for the user-agent "MSIE 6.0" and "chkd 1.2". Here is the iRule I came up with:
when HTTP_REQUEST { if {not ([HTTP::header exists Accept-Language]) and not ([HTTP::header exists Referer]) and not ([HTTP::header exists Cookie]) and ([HTTP::header User-Agent] contains "MSIE\ 6.0" and "chkd\ 1.2") } { log local0. "Possible LOIC 1.1 client detected." } }
If someone could review it and let me know where I went wrong I would greatly appreciate it.
I also wanted to know if there was a way the user-agent search could be mixed case or is the rule searching for it in mixed case when we say it contains XYZ?
Thanks,
Patti
1 Reply
- Kevin_Stewart
Employee
Your iRule looks about right. To perform a case insensitive string match, convert the value to lowercase with [string tolower ]
if { [string tolower [HTTP::header User-Agent]] contains "blah" }Also, just curious, but from what source are these "signatures" being defined? At this point I think you'll be better off employing a web application firewall to protect against types of attacks, instead of creating logic in iRules to cover specific attacks.
