Forum Discussion
nitass
Employee
EmployeeHTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE
hello,
i have just noticed HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE events in v11. does anybody have idea what different HTTP_REQUEST_SEND and HTTP_REQUEST_RELEASE are and what situation HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE could be used (since HTTP_REQUEST_SEND and HTTP_RESPONSE may be applicable as well)?
[root@ve1100:Active] config cat /var/log/ltm
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule CLIENT_ACCEPTED:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_REQUEST:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule SERVER_CONNECTED:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_REQUEST_SEND:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_REQUEST_RELEASE:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_RESPONSE:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_RESPONSE_RELEASE:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule CLIENT_CLOSED:
Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule SERVER_CLOSED:
any suggestions are welcome.
thanks!
3 Replies
hoolioCirrostratus
Hi Nitass,
I think the main reason HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE were added in v11 was to allow modification of HTTP headers after the plugin(s) like ASM, WA, etc, have processed the request and/or response.
Aaron- nitassthanks Aaron!
- hoolioHere's an example iRule for ASM showing the various events:
when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: [virtual name] [IP::local_addr]:[TCP::local_port]" } when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] to [HTTP::host][HTTP::uri]" } when LB_SELECTED { log local0. "[IP::client_addr]:[TCP::client_port]: Selected: [LB::server]" } when LB_FAILED { log local0. "[IP::client_addr]:[TCP::client_port]: Failed: [LB::server]" } when HTTP_CLASS_SELECTED { log local0. "[IP::client_addr]:[TCP::client_port]: Selected [HTTP::class] class, ASM enabled: [HTTP::class asm]" } when HTTP_CLASS_FAILED { log local0. "[IP::client_addr]:[TCP::client_port]: No HTTP class match for [HTTP::uri]" } when ASM_REQUEST_VIOLATION { set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "[IP::client_addr]:[TCP::client_port]: violation=[lindex $x $i]" } 1 { log local0. "[IP::client_addr]:[TCP::client_port]: support_id=[lindex $x $i]" } 2 { log local0. "[IP::client_addr]:[TCP::client_port]: web_application=[lindex $x $i]" } 3 { log local0. "[IP::client_addr]:[TCP::client_port]: severity=[lindex $x $i]" } 4 { log local0. "[IP::client_addr]:[TCP::client_port]: source_ip=[lindex $x $i]" } 5 { log local0. "[IP::client_addr]:[TCP::client_port]: attack_type=[lindex $x $i]" } 6 { log local0. "[IP::client_addr]:[TCP::client_port]: request_status=[lindex $x $i]" } } } } when ASM_REQUEST_BLOCKING { log local0. "[IP::client_addr]:[TCP::client_port]: Blocking" } when HTTP_REQUEST_SEND { log local0. "[IP::client_addr]:[TCP::client_port]: Sending to [IP::server_addr]:[TCP::server_port]" } when HTTP_REQUEST_RELEASE { log local0. "[IP::client_addr]:[TCP::client_port]: " } when SERVER_CONNECTED { log local0. "[IP::client_addr]:[TCP::client_port]: " } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::status] response" } when ASM_RESPONSE_VIOLATION { set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "[IP::client_addr]:[TCP::client_port]: violation=[lindex $x $i]" } 1 { log local0. "[IP::client_addr]:[TCP::client_port]: support_id=[lindex $x $i]" } 2 { log local0. "[IP::client_addr]:[TCP::client_port]: web_application=[lindex $x $i]" } 3 { log local0. "[IP::client_addr]:[TCP::client_port]: severity=[lindex $x $i]" } 4 { log local0. "[IP::client_addr]:[TCP::client_port]: source_ip=[lindex $x $i]" } 5 { log local0. "[IP::client_addr]:[TCP::client_port]: attack_type=[lindex $x $i]" } 6 { log local0. "[IP::client_addr]:[TCP::client_port]: request_status=[lindex $x $i]" } } } } when HTTP_RESPONSE_RELEASE { log local0. "[IP::client_addr]:[TCP::client_port]: " } when CLIENT_CLOSED { log local0. "[IP::client_addr]:[TCP::client_port]: " }
And a request being blocked:< CLIENT_ACCEPTED>: 10.1.0.111:53444: /Common/ltm_ve11_asm_http_vs 10.1.0.114:80 < HTTP_REQUEST>: 10.1.0.111:53444: GET to 10.1.0.114/test.exe < HTTP_CLASS_SELECTED>: 10.1.0.111:53444: Selected /Common/www.example.com class, ASM enabled: 1 < ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: violation=VIOLATION_OBJ_LEN,VIOLATION_REQ_LEN,VIOLATION_OBJ_TYPE < ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: support_id=10169066720958873606 < ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: web_application=/Common/www.example.com < ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: severity=Critical < ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: source_ip=10.1.0.111 < ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: attack_type=ATTACK_TYPE_BUFFER_OVERFLOW,ATTACK_TYPE_FORCEFUL_BROWSING < ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: request_status=blocked < ASM_REQUEST_BLOCKING>: 10.1.0.111:53444: Blocking < HTTP_RESPONSE_RELEASE>: 10.1.0.111:53444: < CLIENT_CLOSED>: 10.1.0.111:53444:
And a response being blocked:< CLIENT_ACCEPTED>: 10.1.0.111:53567: /Common/ltm_ve11_asm_http_vs 10.1.0.114:80 < HTTP_REQUEST>: 10.1.0.111:53567: GET to 10.1.0.114/test.exe < HTTP_CLASS_SELECTED>: 10.1.0.111:53567: Selected /Common/www.example.com class, ASM enabled: 1 < LB_SELECTED>: 10.1.0.111:53567: Selected: /Common/ubuntu_1ip_port0_pool 10.1.0.100 0 < SERVER_CONNECTED>: 10.1.0.111:53567: < HTTP_REQUEST_SEND>: 10.1.0.111:53567: Sending to 10.1.0.100:80 < HTTP_REQUEST_RELEASE>: 10.1.0.111:53567: < HTTP_RESPONSE>: 10.1.0.111:53567: 404 response < ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: violation=VIOLATION_HTTP_STATUS_IN_RESPONSE < ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: support_id=10169066720958873618 < ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: web_application=/Common/www.example.com < ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: severity=Informational < ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: source_ip=10.1.0.111 < ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: attack_type= < ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: request_status=blocked < HTTP_RESPONSE_RELEASE>: 10.1.0.111:53567: < CLIENT_CLOSED>: 10.1.0.111:53567:
Aaron
