ShellShock iRule

Question

Hey Everyone,
I am wondering if it is possible to modify the existing shellshock irule to log both source and destination IPs. I am sure there is but I am no TCL expert so any help would be appreciated.&nbsp;
when HTTP_REQUEST {
  if { [string match "() {;}" [HTTP::request]] } {
    log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]'; URI = '[HTTP::uri]'";
    reject;
  }
}&nbsp;

chris_g_01_1415 · Answer

So after much trial and error I think I got it. If anyone would like to try and validate that would be nice for anyone trying to do the same.&nbsp;
when HTTP_REQUEST {
  if { [string match "() {;}" [HTTP::request]] } {
    log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]'; destination '[IP::local_addr]'; URI = '[HTTP::uri]'";
    reject;
  }
}&nbsp;

what_lies_bene1 · Answer

Chris,&nbsp;
I don't see any issues with what you've done but note the 'official' rule and the comments around it here: https://devcentral.f5.com/articles/shellshock-mitigation-with-big-ip-irules&nbsp;

Forum Discussion

ShellShock iRule

2 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

OWA File Upload URIs for WAF Bypass

F5 AWAF/ASM learning only from Trusted traffic?

irule execution error

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

Shellshock mitigation with BIG-IP iRules

CVE-2014-6271 Shellshocked

Shellshock – The SIP Proxy Edition

Bash Shellshock Mitigation Using ASM Signatures

Shellshock mitigation with LineRate Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS