F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x
Hey Everyone, The F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x. I have enabled irules support the waf policy and I tested in Normal and Compatibility mode but no luck. The other events trigger without an issue. I created 2 custom signatures for response and request match and request match one has no issues so it seems a bug to me. This can be easily tested with the below irule that logs to /var/log/asm when ASM_REQUEST_DONE { log local3. "test request" } when ASM_RESPONSE_VIOLATION { log local3. "test response" } The custom response signature is in the policy to just trigger alarm. I tried string or regex match " (?i)failed " PCRE-style as F5 15.x and up are using this regex style.
How to log HTTP/2 reset_stream
Hello, We are currently in a meeting to prepare for HTTP/2 DDoS attacks. What we would like to do is log the client’s IP address (either local or remote) whenever an HTTP/2 RESET_STREAM is received. Is there any way to achieve this? Would it be possible to implement using an iRule? Thank you.
IRule to block different combinations host/uri
hello together, we've got a VIP with a lot of CNAME's and a few login-URI's should be blocked, but not all. so in our Irule we have some Entries like: elseif { [HTTP::uri] starts_with "/presse/login"} { HTTP::respond 403 but now we need special Combinations of [HTTP::host][HTTP::uri] could you pls provide me some Example? I'm not sure if [HTTP::host] matches alo for HTTPS. Thank you Karl
Is it possible to select ASM BoT profile from irule?
Hi. . Is it possible to select BoT profile from irule? . Concept is we have different set of IP which need to allow "some" BoT type. That why we can't use whitelist IP in BoT profile because it will allow all BoT type. So We want to use iRule to check if it IP A > use BoT profile which have some exception, but if all other IP > use normally BoT profile. . when HTTP_REQUEST { # Check IP and select BoT profile from that if { [IP::client_addr] eq "A" } { ASM::enable allow_some_bot_profile } else { ASM::enable normally_bot_profile } } ps. I didn't see any document about how to select BoT profile. So I'm not sure if ASM::enable can do that.MQTT Broker - logging irule
Hi i am trying to setup an MQTT LTM VS and running into a few issues, i was trying to use some of the sample irules to capture some more logging but can't quite figure out this one that should log the messages https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-iot-administration-13-0-0/1.html Common/irule_mqtt_loggging:14: error: [undefined procedure: MQTT::message_id][MQTT::message_id] /Common/irule_mqtt_loggging:26: error: ["The command does not expect argument."][MQTT::message topics qos $topic] i had thought that these were standard variables that could just be used...if anyone has managed to get this working any help would be apprecated thanks chrisiRule or Re-write Profile
I'm trying to work out how to do the following. I have an irule that is directing source traffic (based on IP) to a specific pool I have a rewrite policy > changing https://example.com to https://example.com/text this is all working The problem I have, is I'd like https://example.com to stay the same in the client's browser But after the client connects to the backend servers, they return a uri https://host1.com I'd like that to appear as https://example.com I looked at my rewrite policy and was thinking I could do a response This doesn't appear to work. Should I be using a single iRule to Replace the name (inbound) Direct to a pool Replace the name (outbound)Irules persistence source_addr
Hi, I have requirement where someone hits www.bac.com/admin is redirected to www.abc.com/admin-login.html and then persist with server even if go back to main page. i have wrote Irule, maybe not pretty but i want to do some testing with source persistence. irule looks like: when HTTP_REQUEST { log local0. "host: [HTTP::host] , url: [HTTP::uri] , proto [TCP::local_port]" switch [string tolower [HTTP::host] ] { "www.abc.com" { if { [string tolower [HTTP::uri] ] equals "/admin" } then { HTTP::respond 302 Location "admin-login.html" } if { [string tolower [HTTP::uri] ] equals "/admin-login.html" } then { persist source_addr 255.255.255.255 3600 } if { [persist lookup source_addr "[IP::client_addr] any virtual " node] ne ""} then { set mypool [persist lookup source_addr "[IP::client_addr] any service " pool ] set mynode [persist lookup source_addr "[IP::client_addr] any service " node ] set myservice [persist lookup source_addr "[IP::client_addr] any service " port ] pool $mypool member $mynode log local0. "pool:$mypool , node: $mynode , service: $myservice" persist source_addr 255.255.255.255 3600 log local0. "pool:$mypool , node: $mynode , service: $myservice" } } } } when i look into logs i can see that pool and service is changing however in presistent table is still same i just wonder why is that Oct 2 11:29:05 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: / , proto 80 Oct 2 11:29:06 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: / , proto 80 Oct 2 11:29:13 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: /test.html , proto 80 Oct 2 11:29:20 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: /admin , proto 80 Oct 2 11:29:20 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: /admin-login.html , proto 80 Oct 2 11:29:34 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: / , proto 80 Oct 2 11:29:34 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool1-5 , node: 192.168.200.11%1 , service: 80 Oct 2 11:29:34 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool1-5 , node: 192.168.200.11%1 , service: 80 Oct 2 11:29:45 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: / , proto 443 Oct 2 11:29:45 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool-https , node: 192.168.200.11%1 , service: 81 Oct 2 11:29:45 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool-https , node: 192.168.200.11%1 , service: 81 Oct 2 11:29:57 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: /test.html , proto 443 Oct 2 11:29:57 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool-https , node: 192.168.200.11%1 , service: 81 Oct 2 11:29:57 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool-https , node: 192.168.200.11%1 , service: 81 Oct 2 11:30:05 local/tmm info tmm[4247]: Rule www.abc.com-2 : host: www.abc.com , url: /test.html , proto 80 Oct 2 11:30:05 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool1-5 , node: 192.168.200.11%1 , service: 80 Oct 2 11:30:05 local/tmm info tmm[4247]: Rule www.abc.com-2 : pool:pool1-5 , node: 192.168.200.11%1 , service: 80 TMM 0 Mode source-address Key 192.168.199.1 Age (sec.) 1060 Virtual Name vip2 Virtual Addr 2620:0:c10:f501:0:1:c0a8:c70a:80 Node Addr 2620:0:c10:f501:0:1:c0a8:c80b:80 Pool Name pool1-5 Client Addr 192.168.199.1%1
Create an iRule that can search and replace
Looking for some irule help please this is a search and replace rule... Step one in the message payload Find <soapenv:Header/> and replace with <soapenv:Header> <job:roleIdentifier>SERVER1</job:roleIdentifier> </soapenv:Header> or if the message is from Server2 Find <soapenv:Header/> and replace with <soapenv:Header> <job:roleIdentifier>SERVER2</job:roleIdentifier> </soapenv:Header>Sending an HTTP request from iRule without delaying client requests
Hi, I am trying to find a solution that can meet my needs: I need to extract information from every HTTP request and response arriving on my virtual server, then send the extracted info to an external service's HTTPS endpoint. The challenge I've run into is decoupling the client connection from the external call. I wrote an iRule that uses a sideband connection with a helper virtual server for the external calls (similar to how the "HTTP Super SIDEBAND Requestor" works) but it seems like the sideband connection delays the response to the client. Is there any way to achieve what I've described without delaying the response?
