For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chadwick_McInni's avatar
Chadwick_McInni
Icon for Nimbostratus rankNimbostratus
Oct 04, 2005

iRule that generates an email

Is there a way to have an iRule generate an email from the BigIP when an event happens? For example, we want an email to be sent to a group whenever a certain vip is hit 10 times in one minute from t...
application delivery
dev
devops
iRules
Chadwick_McInni's avatar
Chadwick_McInni
Icon for Nimbostratus rankNimbostratus
Nov 23, 2005
We have syslog-ng setup to email us whenever the term "script_kiddies" shows up in the ltm logs. I've used unRuley's post (http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=2169) as a starting point for our rule to notify us when one connection hits a particular site more than three times per second. The rule I've written is not looping correctly, any suggestions? Here's the rule I have so far:

 
when HTTP_REQUEST {
   log "$reqs_sec [HTTP::uri]"
   set cur_time [clock seconds]
   if { [HTTP::request_num] > 1 } {
      if { $cur_time == $start_time } {
        if { [HTTP::uri] contains "SomethingInTheURI" } { 
         incr reqs_sec 
         log "$reqs_sec"         
         if { $reqs_sec > "3" } {
           log "to [HTTP::uri]"
           log "script_kiddies from [IP::client_addr] hit [HTTP::uri] three or more times per second at $cur_time"
           return
         }
       }
   }   
}
  set reqs_sec "0" 
  set start_time $cur_time
}

Here's is unRuleY's original rule:

when HTTP_REQUEST { 
    set cur_time [clock seconds] 
    if { [HTTP::request_num] > 1 } { 
       if { $cur_time == $start_time } { 
          if { $reqs_sec > 3 } { 
             HTTP::respond 503 Retry-After 2 
          } 
          incr reqs_sec 
          return 
       } 
    } 
    set start_time $cur_time 
    set reqs_sec 0 
 }