For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

scott_126211's avatar
scott_126211
Icon for Nimbostratus rankNimbostratus
Sep 10, 2013

iRule to drop HTTP GET requests that don't have zero content length header

I'm new to iRules, and hoping to get some assistance. I've searched here for examples and haven't come across anything. I'm looking to implement an iRule that would only allow GET requests that have a content header length = 0, and drop the rest. Any of you expert coders know what that rule would look like? Thanks in advance. Scott

 

application delivery
devops
iRules
security

9 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2013

    Are you looking for requests that have any content length (like a POST):

    when HTTP_REQUEST {
    if { [HTTP::header exists Content-Length] } {
        drop
    }
}

    Or something that specifically has a content length of zero:

    when HTTP_REQUEST {
    if { ( [HTTP::header exists Content-Length] ) and ( [HTTP::header Content-Length] == 0 ) } {
        drop
    }
}
  • scott_126211's avatar
    scott_126211
    Icon for Nimbostratus rankNimbostratus
    Sep 10, 2013

    I'm looking to drop only GET requests that don't have 0 content-length. If the GET request is properly formatted with a zero content-length, I want to allow it.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2013
    when HTTP_REQUEST {
    if { ( [HTTP::method] equals "GET" ) and ( [HTTP::header exists Content-Length] ) and ( [HTTP::header Content-Length] == 0 ) } {
         do nothing
    } else {
        reject
    }
}

    What if the request doesn't have a Content-Length header?

  • scott_126211's avatar
    scott_126211
    Icon for Nimbostratus rankNimbostratus
    Sep 12, 2013

    That's a good question....is "not exist" a valid qualifier? so...would this work?

     

    when HTTP_REQUEST { if { ( [HTTP::method] equals "GET" ) and ((( [HTTP::header exists Content-Length] ) and ( [HTTP::header Content-Length] == 0 )) or ( [HTTP::header not exist Content-Length] )) } { do nothing } else { reject } }

     

  • scott_126211's avatar
    scott_126211
    Icon for Nimbostratus rankNimbostratus
    Sep 12, 2013

    Thanks Kevin!!!

     

    So does this look like the right way to implement it?

     

    when HTTP_REQUEST { if { ( [HTTP::method] equals "GET" ) and ( [HTTP::header exists Content-Length] ) and ( [HTTP::header Content-Length] == 0 ) } or { not ( [HTTP::header exists Content-Length] ) } do nothing } else { reject } }

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 12, 2013

    I think this will work... 😉

    when HTTP_REQUEST {
    if { ( [HTTP::method] equals "GET" ) and ( ( ( [HTTP::header exists Content-Length] ) and ( [HTTP::header Content-Length] == 0 ) ) or ( not [HTTP:::header exists Content-Length] ) ) } {
         do nothing
    } else {
        reject
    }
}