For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Richard_Young_1's avatar
Richard_Young_1
Icon for Nimbostratus rankNimbostratus
Feb 16, 2010

I-Rule to Monitor Incoming Traffic

I want to write an I-Rule that will monitor traffic from a specified IP address. For instance I want to monitor whether a certain IP address sends an incoming message to the F5 with a specified time f...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Feb 17, 2010
Hi Richard,

 

 

In order to track if a client does not send a POST request within a minute of the prior POST request, you'd need to use the after command. This command was added in 10.0.0.

 

 

You can use IP::addr to compare the client IP address against a single IP or network in the CLIENT_ACCEPTED event. You can check the HTTP request method and URI in the HTTP_REQUEST event. You can use the log command to log a special message that will trigger an SNMP trap.

 

 

Here are a list of the wiki pages for the mentioned commands and events:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/after

 

http://devcentral.f5.com/wiki/default.aspx/iRules/client_accepted

 

http://devcentral.f5.com/wiki/default.aspx/iRules/ip__addr

 

http://devcentral.f5.com/wiki/default.aspx/iRules/http_request

 

http://devcentral.f5.com/wiki/default.aspx/iRules/http__method

 

http://devcentral.f5.com/wiki/default.aspx/iRules/http__uri

 

http://devcentral.f5.com/wiki/default.aspx/iRules/log

 

 

For details on configuring a custom SNMP trap, search on AskF5 for "custom snmp trap".

 

 

If you try something and get stuck, let us know.

 

 

Aaron