For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chenco_322726's avatar
Chenco_322726
Icon for Nimbostratus rankNimbostratus
Jan 24, 2018

Irule to block Requests with specific word

Hello All, I've many websites hosted behind F5 Lately im getting alot of spam through the "contact-us" form with a specific words like " viagra " or something like that. Is there any possible way to...
aws
devops
iRules
security
waf
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
Jan 24, 2018

Updated post with fully working iRule using datagroup

Datagroup:

ltm data-group internal restricted_dg {
    records {
        restricted {}
    }
    type string
}

Testing

curl --data "param1=restricted&param2=notrestricted" http://10.1.1.1

Jan 24 14:13:20 BIGIP info tmm1[19064]: Rule /Common/ls-http-collect : Rejecting restricted content

iRule:

when HTTP_REQUEST {
    if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576} {
        set content_length [HTTP::header value "Content-Length"]
    } else {
        set content_length 1048576
    }

    if { $content_length > 0} {
        if {[HTTP::method] eq "POST"} {
            HTTP::collect [HTTP::header "Content-Length"]
        }
    } else {
        log local0. "ERROR! Content Length = $content_length"
    }
}

when HTTP_REQUEST_DATA {
    set payload [HTTP::payload]
    if {[class match $payload contains "restricted_dg"]} {
        log local0. "Rejecting restricted content" 
        reject
    }
}