Forum Discussion
Mustafa_Hashmi_
Nimbostratus
NimbostratusiRule to block http content
Hello all,
I am looking for a simple iRule to inspect HTTP content that is sent back via POST from a particular user and drop if the HTTP content contains
id=sa_sabre&event=sa_exchangeSrvr_state
or
id=sa_sabre&event=sa_sip_state.
Thank you
16 Replies
Stanislas_Piro2Cumulonimbus
try this irule:
when HTTP_REQUEST { if {([URI::query [HTTP::uri] id] equals "sa_sabre") && (([URI::query [HTTP::uri] event] equals "sa_exchangeSrvr_state") || ([URI::query [HTTP::uri] event] equals "sa_sip_state"))} { drop } }- Stanislas_Piro2
This irule do the same for POST method:
when HTTP_REQUEST { if { [HTTP::method] eq "POST" } { Trigger the collection for up to 1MB of data if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] <= 1048576 } { set content_length [HTTP::header value Content-Length] } else { set content_length 1048576 } Check if $content-length is not set to 0 if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Do stuff with the payload set payload "?[HTTP::payload]" if {([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))} { drop } } 
Yann_Desmarest_Nacreous
Hi,
There is some encoding errors in the above irule, try this one instead, it's the same with some fixed encoding chars :
when HTTP_REQUEST { if { [HTTP::method] eq "POST" } { Trigger the collection for up to 1MB of data if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] >= 1048576 } { set content_length [HTTP::header value Content-Length] } else { set content_length 1048576 } Check if $content-length is not set to 0 if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Do stuff with the payload set payload "?[HTTP::payload]" if {([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))} { drop } }
Mustafa_Hashmi_Still getting errors when saving the iRule: 01070151:3: Rule [/Common/Block_Polycom] error: /Common/Block_Polycom:18: error: [parse error: PARSE syntax 622 {syntax error in expression "([URI::query $payload id] equals "sa_sabre") && (([U...": variable references require preceding $}][{([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}] LTM is using: 11.6.06.0.442- Mustafa_Hashmi_OK removed && and replaced with "and" and the iRule saved.
- Mustafa_Hashmi_Thank you for the rule. Question, when applying irule to our resources, we get the following error: 01070394:3: HTTP_REQUEST event in rule (/Common/Block_Polycom) requires an associated HTTP or FASTHTTP profile on the virtual server (/Common/vs-TMS-HTTPS). The Virtual server config is: tmsh create ltm virtual vs-TMS-HTTPS {description "TMS Redundancy Virtual Server" destination 10.0.200.40:443 ip-protocol tcp mask 255.255.255.255 pool pl-TMS-HTTPS profiles add {fastL4} source 0.0.0.0/0 source-address-translation {type automap} translate-address enabled translate-port enabled vlans add {internal} vlans-enabled} How can we get this iRule applied to our virtual server?
Yann_DesmarestCirrus
Hi,
There is some encoding errors in the above irule, try this one instead, it's the same with some fixed encoding chars :
when HTTP_REQUEST { if { [HTTP::method] eq "POST" } { Trigger the collection for up to 1MB of data if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] >= 1048576 } { set content_length [HTTP::header value Content-Length] } else { set content_length 1048576 } Check if $content-length is not set to 0 if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Do stuff with the payload set payload "?[HTTP::payload]" if {([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))} { drop } }- Mustafa_Hashmi_Still getting errors when saving the iRule: 01070151:3: Rule [/Common/Block_Polycom] error: /Common/Block_Polycom:18: error: [parse error: PARSE syntax 622 {syntax error in expression "([URI::query $payload id] equals "sa_sabre") && (([U...": variable references require preceding $}][{([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}] LTM is using: 11.6.06.0.442
- Mustafa_Hashmi_OK removed && and replaced with "and" and the iRule saved.
- Mustafa_Hashmi_Thank you for the rule. Question, when applying irule to our resources, we get the following error: 01070394:3: HTTP_REQUEST event in rule (/Common/Block_Polycom) requires an associated HTTP or FASTHTTP profile on the virtual server (/Common/vs-TMS-HTTPS). The Virtual server config is: tmsh create ltm virtual vs-TMS-HTTPS {description "TMS Redundancy Virtual Server" destination 10.0.200.40:443 ip-protocol tcp mask 255.255.255.255 pool pl-TMS-HTTPS profiles add {fastL4} source 0.0.0.0/0 source-address-translation {type automap} translate-address enabled translate-port enabled vlans add {internal} vlans-enabled} How can we get this iRule applied to our virtual server?
