Forum Discussion
Send Attackers IP to another system via API
send POST method should use the iRules sideband method. The difficulty is whether your server POST does not require username, password or Token authentication about F5?
firstly, F5 whether can ping NGFW and telnet NGFW 80(assume NGFW api service port is 80)?
secondly, if F5 can not telnet NGFW 80, F5 need to add network route to NGFW, make sure F5 can telnet NGFW 80
here is the code, NGFW(example NGFW ip is 10.0.0.10, api service port is 80) with no authentication for POST
when ASM_REQUEST_DONE priority 500 {
set asm_ip [ASM::client_ip]
set asm_json "\{\"Client_address\":$asm_ip\}"
set content_length [string length $asm_json]
set data "POST /sample/post/json HTTP/1.0\r\nHost: test.com\r\nContent-type: application/json\r\nContent-Length: ${content_length}\r\n\r\n${asm_json}"
if { [catch {connect -time 1000 -idle 30 -status conn_status 10.0.0.10:80} conn_id] == 0 && $conn_id ne "" } {
log local0. "Connect returns: $conn_id and conn status: $conn_status"
set send_bytes [send -timeout 1000 -status send_status $conn_id $data]
log local0. "Sent $send_bytes with status $send_status"
close $conn_id
return
} else {
log local0. "Connection could not be established to NGFW"
}
}
xuwen, thanks! Thats brilliant! Yeah, you're right! Now i facing problem with authentication. Is it possible to:
1. Send first POST request with credentials.
2. Get cookies from response to first POST request.
3. Send second POST request with attacker IP in payload and cookies in headers?
Is it possible to do that in one iRule? Any suggestions?
- xuwenJan 18, 2023Cumulonimbus
You'd better give the complete format of curl for calling the api twice, and show the response result of NGFW(curl -v http://xxxx)
Think of two methods. Write your own code to test it:
1. HTTP Super SIDEBAND Requesto
2. Use iRulesLx, node.js send http post api is definitely simpler and faster than tcl
- AantatJan 20, 2023Cirrus
Hi xuwen
Could you please share some iRulesLX codes with sending http post? Thanks in advance
- Nikoolayy1Jan 23, 2023MVP
Aantat just a fast note the community is not F5 PS and you will need to do some coding. For example I googled F5 irules lx and I came up on this post and you could find others and use them for your usecase.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com