Forum Discussion
R__Winters_7757
Nimbostratus
NimbostratusiRule to alert on hotlinking
Hey all,
I am looking for an irule to trigger an alert whenever hotlinking is detected. We are having issues with phishers mirroring our pages but thankfully they keep the FQDN of the images so we would like to use the ASM to detect when our images are being hotlinked.
note: we do NOT want to block the hotlinking, only trigger an alert with the referer url included
Thanks in advance.
- Something like this should work for you. Just check the Referer header and see if it's from the same domain as the request.
when HTTP_REQUEST { if { [HTTP::header exists "Referer"] } { if { ! ([HTTP::header "Referer"] starts_with "http://[HTTP::host]") } { log local0. "Someone is hotlinking this image. Uri: [HTTP::uri]; Referer: '[HTTP::header Referer]'"; } } }
this only checks http:// requests. You'll need to add additional logic to check for https:// urls.
As for alerting, you should be able to setup an alert on syslog to trigger when the above string is added to the log.
-Joe 
R__Winters_7757Joe,
Thanks for the response. On my own I came up withwhen HTTP_REQUEST { set refer_host [string tolower [URI::host [HTTP::header Referer]]] if { ( [matchclass [HTTP::uri] ends_with $::images] ) and ( not [matchclass $refer_host starts_with $::allowed_referers] ) } { log "Warning, Hotlinking detected from: $refer_host" } }
I just had two questions,
1. If I add a data group list for allowed_referers, how are those input? FQDN? Just host? i.e. example.com, www.example.com, or http://www.example.com
2. what is the significance of "local 0"?- local 0 is the logging level for syslog.. 0 being the highest, 7 the lowest..
0 emergencies System unusable
1 alerts Immediate action required
2 critical Critical condition
3 errors Error conditions
4 warnings Warning conditions
5 notifications Normal but significant conditions
6 informational Informational messages
7 debugging Debugging messages 
DeVon_JarvisAltostratus
As far as the header Referer goes, this header would include the full URL, including protocol. Just like you would see it in the URL field in the browser. For example:
http://www.example.com/this/that/theother.jsp
So, since you are using the URI::host method, this would extract the host and your refer_host variable would be set to www.example.com, if we follow the prior example.
So, if you were using starts_with, you would have to match all possibilities at the beginning of the URL. ie. www.example.com, example.com, goodstuff.example.com, etc.
If you are just interested in a domain (example.com), then I would change the operator to ends_with and just specify example.com as a string or put it in your class.
DeVon
hoolioCirrostratus
I'd try to tailor the iRule (and optionally datagroup) for your exact scenario to minimize the load this would use. If you only have one or two domains that should be referring to your web app and it's only http:// for example, I'd avoid a datagroup and any parsing of the referer header. If it's more complicated than that, I'd suggest using timing to compare the efficiency of parsing the referer header and/or checking against a datagroup.
Also, the log command accepts a syslog facility as iRuleYou mentioned. If you don't specify the facility, the log messages are throttled:
http://devcentral.f5.com/wiki/default.aspx/iRules/log
There is a significant behavioral difference when the optional . is specified. When iRule logs messages without the facility and/or level, they are rate-limited as a class and subsequently logged messages within the rate-limit period may be suppressed even though they are textually different. However, when the and/or are specified, the log messages are not rate-limited (though syslog-ng will still perform suppression of repeated duplicates).
Aaron
