Hello all, I am looking for a simple iRule to inspect HTTP content that is sent back via POST from a particular user and drop if the HTTP content contains id=sa_sabre&event=sa_exchangeSrvr_state or id=sa_sabre&event=sa_sip_state. Thank you

try this irule: when HTTP_REQUEST { if {([URI::query [HTTP::uri] id] equals "sa_sabre") && (([URI::query [HTTP::uri] event] equals "sa_exchangeSrvr_state") || ([URI::query [HTTP::uri] event] equals "sa_sip_state"))} { drop } }

Still getting errors when saving the iRule: 01070151:3: Rule [/Common/Block_Polycom] error: /Common/Block_Polycom:18: error: [parse error: PARSE syntax 622 {syntax error in expression "([URI::query $payload id] equals "sa_sabre") && (([U...": variable references require preceding $}][{([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}] LTM is using: 11.6.06.0.442

iRule to block http content

16 Replies

Stanislas_Piro2

Cumulonimbus

May 18, 2016

try this irule:

when HTTP_REQUEST {
    if {([URI::query [HTTP::uri] id] equals "sa_sabre") && (([URI::query [HTTP::uri] event] equals "sa_exchangeSrvr_state") || ([URI::query [HTTP::uri] event] equals "sa_sip_state"))}  {
        drop
    }
}

Stanislas_Piro2

Cumulonimbus

May 18, 2016

This irule do the same for POST method:

when HTTP_REQUEST {
   if { [HTTP::method] eq "POST" } {
       Trigger the collection for up to 1MB of data
      if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] <= 1048576 } {
         set content_length [HTTP::header value Content-Length]
      } else {
         set content_length 1048576
      }
       Check if $content-length is not set to 0
      if { $content_length > 0 } {
         HTTP::collect $content_length
      }
   }
}
when HTTP_REQUEST_DATA {
    Do stuff with the payload
   set payload "?[HTTP::payload]"
   if {([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}  {
        drop
    }
}

Yann_Desmarest_
Nacreous
May 23, 2016
Hi,

There is some encoding errors in the above irule, try this one instead, it's the same with some fixed encoding chars :

when HTTP_REQUEST { if { [HTTP::method] eq "POST" } { Trigger the collection for up to 1MB of data if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] >= 1048576 } { set content_length [HTTP::header value Content-Length] } else { set content_length 1048576 } Check if $content-length is not set to 0 if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Do stuff with the payload set payload "?[HTTP::payload]" if {([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))} { drop } }
- Mustafa_Hashmi_
  Nimbostratus
  May 23, 2016
  Still getting errors when saving the iRule: 01070151:3: Rule [/Common/Block_Polycom] error: /Common/Block_Polycom:18: error: [parse error: PARSE syntax 622 {syntax error in expression "([URI::query $payload id] equals "sa_sabre") && (([U...": variable references require preceding $}][{([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}] LTM is using: 11.6.06.0.442
- Mustafa_Hashmi_
  Nimbostratus
  May 23, 2016
  OK removed && and replaced with "and" and the iRule saved.
- Mustafa_Hashmi_
  Nimbostratus
  May 24, 2016
  Thank you for the rule. Question, when applying irule to our resources, we get the following error: 01070394:3: HTTP_REQUEST event in rule (/Common/Block_Polycom) requires an associated HTTP or FASTHTTP profile on the virtual server (/Common/vs-TMS-HTTPS). The Virtual server config is: tmsh create ltm virtual vs-TMS-HTTPS {description "TMS Redundancy Virtual Server" destination 10.0.200.40:443 ip-protocol tcp mask 255.255.255.255 pool pl-TMS-HTTPS profiles add {fastL4} source 0.0.0.0/0 source-address-translation {type automap} translate-address enabled translate-port enabled vlans add {internal} vlans-enabled} How can we get this iRule applied to our virtual server?
Yann_Desmarest
Cirrus
May 23, 2016
Hi,

There is some encoding errors in the above irule, try this one instead, it's the same with some fixed encoding chars :

when HTTP_REQUEST { if { [HTTP::method] eq "POST" } { Trigger the collection for up to 1MB of data if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] >= 1048576 } { set content_length [HTTP::header value Content-Length] } else { set content_length 1048576 } Check if $content-length is not set to 0 if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Do stuff with the payload set payload "?[HTTP::payload]" if {([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))} { drop } }
- Mustafa_Hashmi_
  Nimbostratus
  May 23, 2016
  Still getting errors when saving the iRule: 01070151:3: Rule [/Common/Block_Polycom] error: /Common/Block_Polycom:18: error: [parse error: PARSE syntax 622 {syntax error in expression "([URI::query $payload id] equals "sa_sabre") && (([U...": variable references require preceding $}][{([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}] LTM is using: 11.6.06.0.442
- Mustafa_Hashmi_
  Nimbostratus
  May 23, 2016
  OK removed && and replaced with "and" and the iRule saved.
- Mustafa_Hashmi_
  Nimbostratus
  May 24, 2016
  Thank you for the rule. Question, when applying irule to our resources, we get the following error: 01070394:3: HTTP_REQUEST event in rule (/Common/Block_Polycom) requires an associated HTTP or FASTHTTP profile on the virtual server (/Common/vs-TMS-HTTPS). The Virtual server config is: tmsh create ltm virtual vs-TMS-HTTPS {description "TMS Redundancy Virtual Server" destination 10.0.200.40:443 ip-protocol tcp mask 255.255.255.255 pool pl-TMS-HTTPS profiles add {fastL4} source 0.0.0.0/0 source-address-translation {type automap} translate-address enabled translate-port enabled vlans add {internal} vlans-enabled} How can we get this iRule applied to our virtual server?