Forum Discussion
hooleylist
May 27, 2008Cirrostratus
If you wanted to read/modify the string you could have used a stream filter. If you want to modify how the request is load balanced, you'll need to collect the request payload and search the payload for the string filename=. You can use the HTTP::collect (Click here) and HTTP::payload (Click here) commands to do this.
If you're running a version less than 9.3, you should limit the payload collection to less than 1Mb due to a bug noted in CR57252 (Click here).
Here's an example to get you started:
when HTTP_REQUEST {
if {[HTTP::method] eq "POST"} {
log local0. "[IP::client_addr]:[TCP::client_port]: POST request to \
[HTTP::uri], with content-length [HTTP::header value "Content-Length"]"
Check if there is a content-length header with a value less than 1Mb
if {([HTTP::header exists "Content-Length"]) && \
([HTTP::header "Content-Length"] <= 1048576)}{
set content_length [HTTP::header "Content-Length"]
} else {
Set the collection to a default of 1Mb
set content_length 1048576
}
Make sure the content-length header wasn't set to 0
if { $content_length > 0 } {
log local0. "[IP::client_addr]:[TCP::client_port]: collecting $content_length"
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
Log the collected payload
log local0. "[IP::client_addr]:[TCP::client_port]: Payload: [HTTP::payload]"
Do something with the request based on whether the POST payload contains an .exe file upload
}
Aaron