18-Apr-2023 02:56
Hi, I need help creating the fastest solution (LTM Policy / iRule / other) to do this:
If client IP = X.X.X.X
and request contains = XYZ
Drop the client / or block by WAF message
Thank you!
18-Apr-2023 04:22
For a very quick solution to match on a single source IP and URI, you could use the following:
when HTTP_REQUEST {
if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [string tolower [HTTP::uri]] contains "xyz" ) ) } {
drop
}
}
However, if you need need it to be more scalable, I would probably use a data group to hold multiple client IP addresses and then maybe another data group or switch -glob statement to match on multiple URIs.
18-Apr-2023 05:24
I'd just advise to avoid using "string tolower" on HTTP uri instruction, since path is case sensitive.
18-Apr-2023 05:26
Good point 👍
18-Apr-2023 05:26
So what is better?
18-Apr-2023 05:28
[HTTP::path] or [HTTP::query] should work just fine for exact matches on path/query parts of the uri
18-Apr-2023 05:29
If you are using a mixture of upper and lowercase letters in your URI and you need an exact match on this, then remove the [string tolower]
when HTTP_REQUEST {
if { ( ( [IP::addr [IP::client_addr] equals X.X.X.X] ) && ( [HTTP::uri] contains "XYZ" ) ) } {
drop
}
}