Forum Discussion
Richard_Young_1
Nimbostratus
NimbostratusI-Rule to Monitor Incoming Traffic
I want to write an I-Rule that will monitor traffic from a specified IP address. For instance I want to monitor whether a certain IP address sends an incoming message to the F5 with a specified time frames such as 1 message within a 1 minute time frame. If no incoming message is seen within the time frame then send an SMNP trap/message to a program that logs the event.
The incoming message is a HTTP Post request.
1 Reply
hoolioCirrostratus
Hi Richard,
In order to track if a client does not send a POST request within a minute of the prior POST request, you'd need to use the after command. This command was added in 10.0.0.
You can use IP::addr to compare the client IP address against a single IP or network in the CLIENT_ACCEPTED event. You can check the HTTP request method and URI in the HTTP_REQUEST event. You can use the log command to log a special message that will trigger an SNMP trap.
Here are a list of the wiki pages for the mentioned commands and events:
http://devcentral.f5.com/wiki/default.aspx/iRules/after
http://devcentral.f5.com/wiki/default.aspx/iRules/client_accepted
http://devcentral.f5.com/wiki/default.aspx/iRules/ip__addr
http://devcentral.f5.com/wiki/default.aspx/iRules/http_request
http://devcentral.f5.com/wiki/default.aspx/iRules/http__method
http://devcentral.f5.com/wiki/default.aspx/iRules/http__uri
http://devcentral.f5.com/wiki/default.aspx/iRules/log
For details on configuring a custom SNMP trap, search on AskF5 for "custom snmp trap".
If you try something and get stuck, let us know.
Aaron
