Forum Discussion
nitass
Nov 26, 2011Employee
HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE
hello,
i have just noticed HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE events in v11. does anybody have idea what different HTTP_REQUEST_SEND and HTTP_REQUEST_RELEASE are and what situati...
Here's an example iRule for ASM showing the various events:
when CLIENT_ACCEPTED {
log local0. "[IP::client_addr]:[TCP::client_port]: [virtual name] [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] to [HTTP::host][HTTP::uri]"
}
when LB_SELECTED {
log local0. "[IP::client_addr]:[TCP::client_port]: Selected: [LB::server]"
}
when LB_FAILED {
log local0. "[IP::client_addr]:[TCP::client_port]: Failed: [LB::server]"
}
when HTTP_CLASS_SELECTED {
log local0. "[IP::client_addr]:[TCP::client_port]: Selected [HTTP::class] class, ASM enabled: [HTTP::class asm]"
}
when HTTP_CLASS_FAILED {
log local0. "[IP::client_addr]:[TCP::client_port]: No HTTP class match for [HTTP::uri]"
}
when ASM_REQUEST_VIOLATION {
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "[IP::client_addr]:[TCP::client_port]: violation=[lindex $x $i]" }
1 { log local0. "[IP::client_addr]:[TCP::client_port]: support_id=[lindex $x $i]" }
2 { log local0. "[IP::client_addr]:[TCP::client_port]: web_application=[lindex $x $i]" }
3 { log local0. "[IP::client_addr]:[TCP::client_port]: severity=[lindex $x $i]" }
4 { log local0. "[IP::client_addr]:[TCP::client_port]: source_ip=[lindex $x $i]" }
5 { log local0. "[IP::client_addr]:[TCP::client_port]: attack_type=[lindex $x $i]" }
6 { log local0. "[IP::client_addr]:[TCP::client_port]: request_status=[lindex $x $i]" }
}
}
}
when ASM_REQUEST_BLOCKING {
log local0. "[IP::client_addr]:[TCP::client_port]: Blocking"
}
when HTTP_REQUEST_SEND {
log local0. "[IP::client_addr]:[TCP::client_port]: Sending to [IP::server_addr]:[TCP::server_port]"
}
when HTTP_REQUEST_RELEASE {
log local0. "[IP::client_addr]:[TCP::client_port]: "
}
when SERVER_CONNECTED {
log local0. "[IP::client_addr]:[TCP::client_port]: "
}
when HTTP_RESPONSE {
log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::status] response"
}
when ASM_RESPONSE_VIOLATION {
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "[IP::client_addr]:[TCP::client_port]: violation=[lindex $x $i]" }
1 { log local0. "[IP::client_addr]:[TCP::client_port]: support_id=[lindex $x $i]" }
2 { log local0. "[IP::client_addr]:[TCP::client_port]: web_application=[lindex $x $i]" }
3 { log local0. "[IP::client_addr]:[TCP::client_port]: severity=[lindex $x $i]" }
4 { log local0. "[IP::client_addr]:[TCP::client_port]: source_ip=[lindex $x $i]" }
5 { log local0. "[IP::client_addr]:[TCP::client_port]: attack_type=[lindex $x $i]" }
6 { log local0. "[IP::client_addr]:[TCP::client_port]: request_status=[lindex $x $i]" }
}
}
}
when HTTP_RESPONSE_RELEASE {
log local0. "[IP::client_addr]:[TCP::client_port]: "
}
when CLIENT_CLOSED {
log local0. "[IP::client_addr]:[TCP::client_port]: "
}
And a request being blocked:
< CLIENT_ACCEPTED>: 10.1.0.111:53444: /Common/ltm_ve11_asm_http_vs 10.1.0.114:80
< HTTP_REQUEST>: 10.1.0.111:53444: GET to 10.1.0.114/test.exe
< HTTP_CLASS_SELECTED>: 10.1.0.111:53444: Selected /Common/www.example.com class, ASM enabled: 1
< ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: violation=VIOLATION_OBJ_LEN,VIOLATION_REQ_LEN,VIOLATION_OBJ_TYPE
< ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: support_id=10169066720958873606
< ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: web_application=/Common/www.example.com
< ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: severity=Critical
< ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: source_ip=10.1.0.111
< ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: attack_type=ATTACK_TYPE_BUFFER_OVERFLOW,ATTACK_TYPE_FORCEFUL_BROWSING
< ASM_REQUEST_VIOLATION>: 10.1.0.111:53444: request_status=blocked
< ASM_REQUEST_BLOCKING>: 10.1.0.111:53444: Blocking
< HTTP_RESPONSE_RELEASE>: 10.1.0.111:53444:
< CLIENT_CLOSED>: 10.1.0.111:53444:
And a response being blocked:
< CLIENT_ACCEPTED>: 10.1.0.111:53567: /Common/ltm_ve11_asm_http_vs 10.1.0.114:80
< HTTP_REQUEST>: 10.1.0.111:53567: GET to 10.1.0.114/test.exe
< HTTP_CLASS_SELECTED>: 10.1.0.111:53567: Selected /Common/www.example.com class, ASM enabled: 1
< LB_SELECTED>: 10.1.0.111:53567: Selected: /Common/ubuntu_1ip_port0_pool 10.1.0.100 0
< SERVER_CONNECTED>: 10.1.0.111:53567:
< HTTP_REQUEST_SEND>: 10.1.0.111:53567: Sending to 10.1.0.100:80
< HTTP_REQUEST_RELEASE>: 10.1.0.111:53567:
< HTTP_RESPONSE>: 10.1.0.111:53567: 404 response
< ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: violation=VIOLATION_HTTP_STATUS_IN_RESPONSE
< ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: support_id=10169066720958873618
< ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: web_application=/Common/www.example.com
< ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: severity=Informational
< ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: source_ip=10.1.0.111
< ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: attack_type=
< ASM_RESPONSE_VIOLATION>: 10.1.0.111:53567: request_status=blocked
< HTTP_RESPONSE_RELEASE>: 10.1.0.111:53567:
< CLIENT_CLOSED>: 10.1.0.111:53567:
Aaron
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects