For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chadwick_McInni's avatar
Chadwick_McInni
Icon for Nimbostratus rankNimbostratus
Oct 04, 2005

iRule that generates an email

Is there a way to have an iRule generate an email from the BigIP when an event happens? For example, we want an email to be sent to a group whenever a certain vip is hit 10 times in one minute from the same IP.

 

 

Thanks,

 

Chad
application delivery
dev
devops
iRules

5 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Oct 04, 2005
    Chad,

     

     

    At this time there isn't the capability built in to fire an email from within an iRule.

     

     

    You can, however, set syslog-ng to send an email based on a trap that comes through when a certain event is logged. You can then build an iRule to log that event (via the log command) in the needed format so that syslog-ng picks up on it, and sends the email.

     

     

    Here's some info on syslog-ng from the BIG-IP 9 manual. Click here

     

     

    Hopefully this will get you started.

     

     

    -Colin
  • Chadwick_McInni's avatar
    Chadwick_McInni
    Icon for Nimbostratus rankNimbostratus
    Nov 23, 2005
    We have syslog-ng setup to email us whenever the term "script_kiddies" shows up in the ltm logs. I've used unRuley's post (http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=2169) as a starting point for our rule to notify us when one connection hits a particular site more than three times per second. The rule I've written is not looping correctly, any suggestions? Here's the rule I have so far:

     
when HTTP_REQUEST {
   log "$reqs_sec [HTTP::uri]"
   set cur_time [clock seconds]
   if { [HTTP::request_num] > 1 } {
      if { $cur_time == $start_time } {
        if { [HTTP::uri] contains "SomethingInTheURI" } { 
         incr reqs_sec 
         log "$reqs_sec"         
         if { $reqs_sec > "3" } {
           log "to [HTTP::uri]"
           log "script_kiddies from [IP::client_addr] hit [HTTP::uri] three or more times per second at $cur_time"
           return
         }
       }
   }   
}
  set reqs_sec "0" 
  set start_time $cur_time
}

    Here's is unRuleY's original rule:

    when HTTP_REQUEST { 
    set cur_time [clock seconds] 
    if { [HTTP::request_num] > 1 } { 
       if { $cur_time == $start_time } { 
          if { $reqs_sec > 3 } { 
             HTTP::respond 503 Retry-After 2 
          } 
          incr reqs_sec 
          return 
       } 
    } 
    set start_time $cur_time 
    set reqs_sec 0 
 }

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Nov 30, 2005
    When you say it's not looping properly...what do you mean? Could you provide some more clarification as to how the iRule is behaving in comparison to how you'd like it to behave?

     

     

    Thanks,

     

    -Colin
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Dec 01, 2005
    I think you may want to place the

    if { [HTTP::uri] contains "SomethingInTheURI" } {

    at a higher level (perhaps combined with the HTTP::requests > 1 line.

    Basically, I think you have a logic problem. You should map out a logic table and see if it is what you expect. (A logic table is where you take all the variables/inputs and then assign them the range of logical values and map out the results).