suyeup_77835
Jun 07, 2011Nimbostratus
need count a HTTPheader Referer
hi.. my name is sooyeup.kim i'm from korea.
i need help.
now, my company have F5 L7-Switch.(four!!) but we don't have iRule engineer.
(customize the iRule is very hard!!T0T) i need this iRule.
1. Count a All Referer(HTTP::header) and IP
2. if some Referer is over the limit, drop that IP
i was write the this iRule, but that is wrong!!!T-T
when RULE_INIT {
array unset ::user array
set ::user { } array
set ::blocklist { } array
set ::refererlist{ }
set ::attacktime 10
set ::maxreferer 100
set ::holdtime 3 set ::referer }
when HTTP_REQUEST {
set ::referer [HTTP::header Referer]
if { ($::referer contains "mrtg") } {
if { [ info exists ::blocklist([IP::remote_addr]) ] } {
if {$::holdtime > [ expr [clock seconds] - $::blocklist([IP::remote_addr]) ] } {
drop log local5. "[IP::remote_addr] is HOLD" return
} else {
unset ::blocklist([IP::remote_addr]) log local5. "[IP::remote_addr] is released" }
}
if{[info exists ::refererlist]}{
if{[HTTP::header Referer] equals $::refererlist}{
if { [info exists ::user([IP::remote_addr],count)] } {
if { $::attacktime > [expr [clock seconds] - $::user([IP::remote_addr],duration)]} {
if {$::user([IP::remote_addr],count) > $::maxreferer } {
set ::blocklist([IP::remote_addr]) [clock seconds]
log local5. "[IP::remote_addr] is blocked"
drop
return
} else {
incr ::user([IP::remote_addr],count) 1
return
}
} else {
unset ::user([IP::remote_addr],count)
unset ::user([IP::remote_addr],duration) }
} else {
if { 20000 < [array size ::user] } {
array unset ::user array set ::user { } }
set ::user([IP::remote_addr],count) 1
set ::user([IP::remote_addr],duration) [clock seconds]
set ::refererlist([HTTP::header Referer]) }
}
}
}
}
help me please!
thank you..