Shellshock mitigation with BIG-IP iRules

Yesterday, NIST released information on a new network exploitable vulnerability in the GNU Bash shell as demonstrated by vectors involving parts of OpenSSH sshd, the mod_cgi, and mod_cgid modules in ...
Updated Jun 06, 2023
Version 2.0
application delivery
devops
iRules
Security
shellshock
David_Hwang_149's avatar
David_Hwang_149
Icon for Nimbostratus rankNimbostratus
Oct 03, 2014
Quick question. I know this irule script will reject and log. However is there a way to set it to only log and not reject? If I simply remove reject; from the script will it monitor instead of using the reject action? when HTTP_REQUEST { set pattern "*() \{*"; if { [string match $pattern [HTTP::uri]] } { log local0. "Detected CVE-2014-6271 attack from '[IP::client_addr]' in URI '[HTTP::uri]'"; reject; Is the reject; syntax an action command or is it simply a message that the hacker receives? This part is what is throwing me off. "I chose to issue a reject on the connection. If you want to be more polite to the hackers, you can substitute the "reject" with a 403 - Forbidden." Thanks!