Forum Discussion
abhinay
Nimbostratus
NimbostratusiRule for blocking specific traffic for HTTP POST
Hi Everyone, I need some help in setting up an iRule for below requirement. Need to get 403 Forbidden for below (method = POST) AND (URI contains /cs OR llisapi.dll) AND (body contains func=qds.) A...
Kai_Wilke
MVP
MVPHi abhinay,
you may use the iRule below as a starting point...
when HTTP_REQUEST {
if { [HTTP::method] eq "POST" } then {
switch -glob -- [string tolower [HTTP::path]] {
"*/cs*" -
"*llisapi.dll*" {
if { [HTTP::header value "Content-Lenght"] == 0 } then {
# Zero post data...
} elseif { ( [string is digit [HTTP::header value "Content-Lenght"]] == 1 )
and ( [HTTP::header value "Content-Lenght"] >= 0 )
and ( [HTTP::header value "Content-Lenght"] <= 1048576 ) } then {
HTTP::collect [HTTP::header value "Content-Lenght"]
} else { [HTTP::header value "Transfer-Encoding"] eq "chunked" } then {
# Someone may have used chunked tranfer encoding... :-(
# lets hope we will find the signature on first chunk of received data.
HTTP::collect 1
}
}
}
}
}
when HTTP_REQUEST_DATA {
# Format tolower, removing any tabs, spaces and line breaks before comparsion
set cleaned_payload [string tolower [string map { " " "" " " "" "\n" "" } [HTTP::payload]]]
if { ( [string match {*"key":"_request"*} $cleaned_payload] )
and ( [string match {*"value":"syndication_request"*} $cleaned_payload]) } then {
HTTP::respond 403 content "Forbidden" "Content-Type" "text/html"
}
# Alternative if "key" is always preceding "value"
#
# if { [string match {*"key":"_request","value":"syndication_request"*} $string_map] } then {
# HTTP::respond 403 content "Forbidden" "Content-Type" "text/html"
# }
}
Cheers, Kai
