iRule that triggers a capture of the HTTP request before rejecting

Question

I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header.  So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block.  Is there a way to trigger a method to capture and log the full request when we get a match and send the 410?
Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients
when HTTP_REQUEST {

if {[HTTP::header "X-Forwarded-For"] ne ""}{

log local0. "XFF: [HTTP::header "X-Forwarded-For"]"

foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] {

log local0. "Current XFF element: $xff"

if {[IP::addr $xff equals 1.2.3.4]}{
            log local0. "Sending 410 for $xff"
            HTTP::respond 410
            break
         }
      }
   }
}

rob_carr · Answer

Why not let the request go through to ASM, block it there where you can log all illegal requests, then intercept the blocking response and re-write it to a 410?&nbsp;

stanislas_piro2 · Answer

Hi,
You can log output from command :
[HTTP::request]

This command returns the whole request!

Forum Discussion

iRule that triggers a capture of the HTTP request before rejecting

Recent Discussions

NAT for specific IPs

Upgrading BIGIP 2000S to R2600

TS Declarations for DNS

how to view list os client support via cli

automatic learning logs/report ?

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

DevCentral Connects hosts Capture the Flag!

Automating Packet Captures on BIG-IP

Leveraging Ansible Rulebooks for Streamlined Event Triggers: Advantages and Benefits

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS