Convert LOIC client rule to an iRule
Hi, here is another one I need to be able to convert from its original formatted rule into an iRule. This one needs to alert when a LOIC client has been detected. The requirements are to check for a missing Accept-Language header; a missing Referer header; a missing Cookie header and look for the user-agent "MSIE 6.0" and "chkd 1.2". Here is the iRule I came up with:
when HTTP_REQUEST { if {not ([HTTP::header exists Accept-Language]) and not ([HTTP::header exists Referer]) and not ([HTTP::header exists Cookie]) and ([HTTP::header User-Agent] contains "MSIE\ 6.0" and "chkd\ 1.2") } { log local0. "Possible LOIC 1.1 client detected." } }
If someone could review it and let me know where I went wrong I would greatly appreciate it.
I also wanted to know if there was a way the user-agent search could be mixed case or is the rule searching for it in mixed case when we say it contains XYZ?
Thanks,
Patti