For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cmedalis_299270's avatar
cmedalis_299270
Icon for Nimbostratus rankNimbostratus
Aug 04, 2017

Stream Logging Efficiency - iRule question

I have an iRule that utilizes stream matching and header capture to pull a Client IP, a posted Username, and a response from the web application (webapp is ADFS in this case). I am not sure if this...
application delivery
iRules
cjunior's avatar
cjunior
Icon for Nacreous rankNacreous
Aug 04, 2017

Hi dude, I maybe do it like the this:

 

when HTTP_REQUEST {
    If is not the logon page, nothing to do now and then
    You must change to your real logon page address
    if { [string tolower [HTTP::path]] ne "/adfs/ls/idpinitiatedsignon.aspx" } {
        event HTTP_RESPONSE disable
        return
    }
    event HTTP_RESPONSE enable

     Snag the Remote Client address
    set int [IP::client_addr]

     Insert MS Proxy info for ADFS to know we are external
    HTTP::header insert "X-MS-Proxy" "F5-LTM-PROD"

     Insert MS Proxy info for ADFS Logging
    HTTP::header insert X-MS-Forwarded-Client-IP $int

    if {[HTTP::method] eq "POST"}{
         Trigger collection for up to 1MB of data
        if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] ne "" } {
            if { [HTTP::header "Content-Length"] <= 1048576 } {
                set content_length [HTTP::header "Content-Length"]
            } else {
                set content_length 1048576
            }
             Check if $content_length is not set to 0
            if { $content_length > 0 } {
                HTTP::collect $content_length
            }
        }
    }
}

when HTTP_REQUEST_DATA {
    Search for username=theName
    set USER [findstr [string tolower [HTTP::payload]] "username=" 9 "&"]
}

when HTTP_RESPONSE {
    if { [info exists USER] && [HTTP::header value Content-Type] contains "text/html" } {
        if { [HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576 } {
            set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length 1048576
        }
        if { $content_length > 0 } {
            HTTP::collect $content_length
        }
    }
}

when HTTP_RESPONSE_DATA {
    if { [string match "*Incorrect*" [HTTP::payload]] } {
        log local0. "ADFS FAILED Login attempt for user $USER From Client $int"
        log local0. "ADFS FAILED Login attempt for user $USER From Client $int"
        log local0. "ADFS FAILED Login attempt for user $USER From Client $int"
    }
}

Feel free to check the performance and comment the code.

 

Respectfully

 

Related Content