For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chenco_322726's avatar
Chenco_322726
Icon for Nimbostratus rankNimbostratus
Jan 24, 2018

Irule to block Requests with specific word

Hello All, I've many websites hosted behind F5 Lately im getting alot of spam through the "contact-us" form with a specific words like " viagra " or something like that. Is there any possible way to...
aws
devops
iRules
security
waf
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Jan 24, 2018

This isn't tested, but may be a useful starting point for you. You can use HTTP::collect to collect payload data and find what you're looking for in HTTP_REQUEST_DATA.

Putting restricted words in a datagroup means you don't have to change the iRule everytime you add a new word. 

 DATAGROUP
ltm data-group internal restricted_dg {
    records {
        restricted_word {}
    }
    type string
}

IRULE
when HTTP_REQUEST {
    if {[HTTP::method] eq "POST"} {
        HTTP::collect 100    
    }
}

when HTTP_REQUEST_DATA {
    set payload [HTTP::payload]
    if {[class match $payload contains "restricted_dg"]} {
        log local0. "Rejecting restricted content" 
        reject
    }
}

HTTP::payload https://devcentral.f5.com/wiki/iRules.HTTP__payload.ashx

HTTP::collect https://devcentral.f5.com/wiki/iRules.HTTP__collect.ashx