Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Chenco_322726's avatar
Chenco_322726
Icon for Nimbostratus rankNimbostratus
8 years ago

Irule to block Requests with specific word

Hello All, I've many websites hosted behind F5 Lately im getting alot of spam through the "contact-us" form with a specific words like " viagra " or something like that. Is there any possible way to...
aws
devops
irules
security
waf
Lee_Sutcliffe's avatar
Lee_Sutcliffe
Icon for Nacreous rankNacreous
8 years ago

Updated post with fully working iRule using datagroup

Datagroup:

ltm data-group internal restricted_dg {
    records {
        restricted {}
    }
    type string
}

Testing

curl --data "param1=restricted&param2=notrestricted" http://10.1.1.1

Jan 24 14:13:20 BIGIP info tmm1[19064]: Rule /Common/ls-http-collect : Rejecting restricted content

iRule:

when HTTP_REQUEST {
    if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576} {
        set content_length [HTTP::header value "Content-Length"]
    } else {
        set content_length 1048576
    }

    if { $content_length > 0} {
        if {[HTTP::method] eq "POST"} {
            HTTP::collect [HTTP::header "Content-Length"]
        }
    } else {
        log local0. "ERROR! Content Length = $content_length"
    }
}

when HTTP_REQUEST_DATA {
    set payload [HTTP::payload]
    if {[class match $payload contains "restricted_dg"]} {
        log local0. "Rejecting restricted content" 
        reject
    }
}