PG0581
Dec 16, 2022Cirrus
iRule to filter on URIs and strings in the body of the payload
Hello, I am working on another iRule to filter on a couple of URIs and a couple of strings in the body of the payload, when a POST is made from the client, and if these all match drop.
So far from what I have found in my search, I think I can use "HTTP::collect" and then "findstr [HTTP::payload]" to find the strings in the payload (I also am of the understanding that string may not appear within the first 1 MB of the payload), I am just not sure what I posted below is going to work or not; it likely needs to be tweaked.
Any feedback would be appreciated!
create ltm data-group internal uri-list records add { abc { } def { } } type string
when HTTP_REQUEST {
if {[HTTP::method] eq "POST"}{
#Evaluate URI and trigger the collection for up to 1MB of data
if { [class match [string tolower [HTTP::uri]] contains uri-list] and [HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
#Check if $content-length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
if { [findstr [HTTP::payload] "abc" and "xyz" 3 &] }{
log local0. "Denied: [IP::client_addr] - [HTTP::uri] - [findstr [HTTP::payload]]"
HTTP::respond 403 content "Forbidden" "Content-Type" "text/html"
}