For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chenco_322726's avatar
Chenco_322726
Icon for Nimbostratus rankNimbostratus
Jan 24, 2018

Irule to block Requests with specific word

Hello All, I've many websites hosted behind F5 Lately im getting alot of spam through the "contact-us" form with a specific words like " viagra " or something like that. Is there any possible way to...
aws
devops
iRules
security
waf
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Jan 29, 2018

Try this code to prevent issue. the problem may be the variable payload contains space and the code fails as the following string in the payload is read as a new argument. this solution will bypass the issue but may let some SPAM get in.

 

 Collect a request payload
when HTTP_REQUEST {

  if {[HTTP::method] eq "POST"}{
     Trigger collection for up to 1MB of data
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
      set content_length [HTTP::header "Content-Length"]
    } else {
        set content_length 1048576
    }
     Check if $content_length is not set to 0
    if { $content_length > 0} {
      HTTP::collect $content_length
    }
  }
}

when HTTP_REQUEST_DATA {
    set payload [HTTP::payload]
    catch {
        if {[class match $payload contains "restricted_dg"]} {
            log local0. "Rejecting restricted content" 
            reject
        }
    }
    HTTP::release
}