Forum Discussion

Patti_G_72768's avatar
Patti_G_72768
Icon for Nimbostratus rankNimbostratus
Oct 29, 2013

Convert LOIC client rule to an iRule

Hi, here is another one I need to be able to convert from its original formatted rule into an iRule. This one needs to alert when a LOIC client has been detected. The requirements are to check for a missing Accept-Language header; a missing Referer header; a missing Cookie header and look for the user-agent "MSIE 6.0" and "chkd 1.2". Here is the iRule I came up with:

 

when HTTP_REQUEST { if {not ([HTTP::header exists Accept-Language]) and not ([HTTP::header exists Referer]) and not ([HTTP::header exists Cookie]) and ([HTTP::header User-Agent] contains "MSIE\ 6.0" and "chkd\ 1.2") } { log local0. "Possible LOIC 1.1 client detected." } }

 

If someone could review it and let me know where I went wrong I would greatly appreciate it.

 

I also wanted to know if there was a way the user-agent search could be mixed case or is the rule searching for it in mixed case when we say it contains XYZ?

 

Thanks,

 

Patti

 

application delivery
devops
iRules

1 Reply

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 29, 2013

    Your iRule looks about right. To perform a case insensitive string match, convert the value to lowercase with [string tolower ]

    if { [string tolower [HTTP::header User-Agent]] contains "blah" }

    Also, just curious, but from what source are these "signatures" being defined? At this point I think you'll be better off employing a web application firewall to protect against types of attacks, instead of creating logic in iRules to cover specific attacks.