Forum Discussion

doddy's avatar
doddy
Icon for Nimbostratus rankNimbostratus
Jul 27, 2013

Detect HTTP Pipelining Request

Good day all...     I am currently looking for method to detect HTTP pipelining request. This pipelining is currently exploiting our vulnerability in which cannot detect subsequent request on...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Jul 28, 2013
did you mean I can combine TCP level with HTTP level events like this? yes

e.g. 

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
  log local0. "CLIENT_ACCEPTED - client [IP::client_addr]:[TCP::client_port]"
  TCP::collect
}
when CLIENT_DATA {
  log local0. "CLIENT_DATA - client [IP::client_addr]:[TCP::client_port] payload [TCP::payload]"
  if { [llength [lsearch -all [TCP::payload] HEAD]] > 1 } {
    log local0. "CLIENT_DATA - client [IP::client_addr]:[TCP::client_port] reject"
    reject
    return
  }
  TCP::release
  TCP::collect
}
when HTTP_REQUEST {
  log local0. "HTTP_REQUEST - client [IP::client_addr]:[TCP::client_port] request [HTTP::request]"
}
}

[root@ve10:Active] config  tail -f /var/log/ltm
Jul 28 09:09:38 local/tmm info tmm[22008]: Rule myrule : CLIENT_ACCEPTED - client 172.28.20.17:47963
Jul 28 09:09:38 local/tmm info tmm[22008]: Rule myrule : CLIENT_DATA - client 172.28.20.17:47963 payload HEAD /frist HTTP/1.1  Host:     HEAD /second HTTP/1.1  Host:
Jul 28 09:09:38 local/tmm info tmm[22008]: Rule myrule : CLIENT_DATA - client 172.28.20.17:47963 reject

Jul 28 09:10:05 local/tmm info tmm[22008]: Rule myrule : CLIENT_ACCEPTED - client 172.28.20.17:47964
Jul 28 09:10:05 local/tmm info tmm[22008]: Rule myrule : CLIENT_DATA - client 172.28.20.17:47964 payload HEAD /normal HTTP/1.1  User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5  Host: 172.28.19.252  Accept: */*
Jul 28 09:10:05 local/tmm info tmm[22008]: Rule myrule : HTTP_REQUEST - client 172.28.20.17:47964 request HEAD /normal HTTP/1.1  User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5  Host: 172.28.19.252  Accept: */*