For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mohanad's avatar
Mohanad
Icon for Cirrostratus rankCirrostratus
Dec 30, 2021

irule to match string in /var/log/ltm

Hello

i need irule irule to match string in /var/log/ltm so i can take action

 

i need to match on diA

 when BOTDEFENSE_ACTION {
     if {[$diA equals {"[AYrQyWEAAAAACxF5RBPJyPdDICteKxbw"}]} {
         set res [BOTDEFENSE::action tcp_rst]
		   BOTDEFENSE::action custom_response "sorry\ni am blocking you\n"
     }
 }

error:

01220001:3: TCL error: /Common/DevID_Logging <BOTDEFENSE_ACTION> - can't read "diA": no such variable   while executing "$diA equals {"[AYrQyWEAAAAACxF5RBPJyPdDICteKxbw"}"

ASM Advanced WAF
iRules
security

3 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Dec 30, 2021

    where are you setting diA variable? even when that gets set, $diA will be evaluated as a command and fail as well with the brackets, so you'll want to rewrite that to something like:

    if { $dia eq "..."} {
  set res ...
}

    I'm assuming your testing here, and likely you'll use tables to store the fingerprints? That'll be a lot of manual configuration of them otherwise.

    • Mohanad's avatar
      Mohanad
      Icon for Cirrostratus rankCirrostratus
      Dec 31, 2021

      I'm testing Device ID+ with ASM (PoC), i imported the iApp, and used the following irule, what i want to do something with it... im connecting to a website from another PC and i logged my device id and i want to blocked my pc.

      when HTTP_REQUEST {
    if [HTTP::cookie exists _imp_apg_r_] {
        set deviceid [URI::decode [HTTP::cookie _imp_apg_r_]]
        log local0. "URL Decoded cookie is $deviceid"
        set deviceida [lindex [regexp -inline -- (?:"diA":")(.*?)(?:") $deviceid] 1]
        log local0. "diA = $deviceida"
        set deviceidb [lindex [regexp -inline -- (?:"diB":")(.*?)(?:") $deviceid] 1]
        log local0. "diB = $deviceidb"
        log local0. "IP is [IP::client_addr]"
        log local0. "Path os [HTTP::path]"
    } else {
    log local0. "No cookie"
    }
}
      • CA_Valli's avatar
        CA_Valli
        Icon for MVP rankMVP
        Jan 04, 2022

        Hello Mohanad,

        based on logging instruction on line 6, the variable that will contain diA is $deviceida

         

        $diA does not exist in your code, there is no such line that sets diA variable/value pair

         

        Moreover, as Jason already mentioned, your if statement will fail since you are using square brackets incorrectly -- to keep it simple their purpose in iRule would be for retrieving packet data such as [HTTP::header] , or for operations such as line 5 of your code where you calculate diA (read TCL references for a complete overview)

         

        You will need to adjust BOTDEFENSE_ACTION if statement as follows:

         when BOTDEFENSE_ACTION {
     if { $deviceida equals "AYrQyWEAAAAACxF5RBPJyPdDICteKxbw" } {
         set res [BOTDEFENSE::action tcp_rst]
	 BOTDEFENSE::action custom_response "sorry\ni am blocking you\n"
     }
 }