Forum Discussion

Mustafa_Hashmi_'s avatar
Mustafa_Hashmi_
Icon for Nimbostratus rankNimbostratus
May 18, 2016

iRule to block http content

Hello all,   I am looking for a simple iRule to inspect HTTP content that is sent back via POST from a particular user and drop if the HTTP content contains   id=sa_sabre&event=sa_exchangeSrvr...
application delivery
iRules
LTM
security
Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
May 23, 2016

Hi,

There is some encoding errors in the above irule, try this one instead, it's the same with some fixed encoding chars : 

when HTTP_REQUEST {
   if { [HTTP::method] eq "POST" } {
       Trigger the collection for up to 1MB of data
      if { [HTTP::header Content-Length] ne "" and [HTTP::header value Content-Length] >= 1048576 } {
         set content_length [HTTP::header value Content-Length]
      } else {
         set content_length 1048576
      }
       Check if $content-length is not set to 0
      if { $content_length > 0 } {
         HTTP::collect $content_length
      }
   }
}
when HTTP_REQUEST_DATA {
    Do stuff with the payload
   set payload "?[HTTP::payload]"
   if {([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}  {
        drop
    }
}
  • Mustafa_Hashmi_'s avatar
    Mustafa_Hashmi_
    Icon for Nimbostratus rankNimbostratus
    May 23, 2016
    Still getting errors when saving the iRule: 01070151:3: Rule [/Common/Block_Polycom] error: /Common/Block_Polycom:18: error: [parse error: PARSE syntax 622 {syntax error in expression "([URI::query $payload id] equals "sa_sabre") && (([U...": variable references require preceding $}][{([URI::query $payload id] equals "sa_sabre") && (([URI::query $payload event] equals "sa_exchangeSrvr_state") || ([URI::query $payload event] equals "sa_sip_state"))}] LTM is using: 11.6.06.0.442
  • Mustafa_Hashmi_'s avatar
    Mustafa_Hashmi_
    Icon for Nimbostratus rankNimbostratus
    May 23, 2016
    OK removed && and replaced with "and" and the iRule saved.
  • Mustafa_Hashmi_'s avatar
    Mustafa_Hashmi_
    Icon for Nimbostratus rankNimbostratus
    May 24, 2016
    Thank you for the rule. Question, when applying irule to our resources, we get the following error: 01070394:3: HTTP_REQUEST event in rule (/Common/Block_Polycom) requires an associated HTTP or FASTHTTP profile on the virtual server (/Common/vs-TMS-HTTPS). The Virtual server config is: tmsh create ltm virtual vs-TMS-HTTPS {description "TMS Redundancy Virtual Server" destination 10.0.200.40:443 ip-protocol tcp mask 255.255.255.255 pool pl-TMS-HTTPS profiles add {fastL4} source 0.0.0.0/0 source-address-translation {type automap} translate-address enabled translate-port enabled vlans add {internal} vlans-enabled} How can we get this iRule applied to our virtual server?
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 24, 2016
    Unfortunately, This irule require an http or fasthttp profile. not fastL4.
  • Mustafa_Hashmi_'s avatar
    Mustafa_Hashmi_
    Icon for Nimbostratus rankNimbostratus
    May 24, 2016
    Can the iRule be modified to use the FastL4?
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 24, 2016
    Hi, unfortunately you need to have a "standard" vs and http profile attached to be able to inspect http