Regex issue
Hello, I am stuck on trying to find out how to match some parameters in a WAF request using regex wildcard The parameters that I want to match are int the form ofamp;arg20=somethingwhere the arg20 can be anything. The repetitive part that I want to match with the regex is amp; and I want to match multiple times because it appears multiple times in the query string This is the request GET /human.aspx?r=2900376326&arg20=dssdds&arg21=aaa HTTP/1.1 I want to match the 2 parameters amp;arg20 and amp;arg21 with a wildcard which appears as invalid parameters Parameter Location Query String Parameter Name amp;arg20 Parameter Value dssdds Applied Blocking Settings BlockAlarmLearn Parameter Location Query String Parameter Name amp;arg21 Parameter Value aaa Applied Blocking Settings BlockAlarmLearn I tried to create multiple wildcard parameters like: amp.* or amp.+?(?==)but the parameters never match and I get the illegal parameter violation How can this be achieved?Solved1.2KViews1like8CommentsCustom attack signature syntax for multiple user agents
Hi, I want to create a custom attack signature that will block requests that contains specific user agents. I've already created a signature that blocks Python user agent, but I'm not sure how to add multiple ones to the same signature. Under "Rule" section, I use the Simple Edit Mode and I have set: Matched Element: Header Matched Criteria: Matches regular expression Keyword: User-Agent:.*[Pp]ython.* How do I add more user agents? Thanks757Views1like1Commentis it possible to use regex within switch block?
Hello! Is it possible to use regular expressions within switch block? My scenario: a.domain.com a.domain.net So different TLDs. Now I want to write iRule that will handle both 'com' and 'net', but I can't figure this out and instead I have to use following syntax: when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "a.domain.com" { pool some_pool_a } "a.domain.net" { pool some_pool_a } "b.domain.com" { pool some_pool_b } "b.domain.net" { pool some_pool_b } } } I would like to rewrite this iRule to something like this: when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "a.domain.[com|net]" { pool some_pool_a } "b.domain.[com|net]" { pool some_pool_b } } } but it seems to be not working. Do you guys have any good idea how to fix it? BTW - I'm using v11.6 of BIG IP software.500Views0likes5CommentsiRule with regex, change string inside URI for another one
Hello, I want to redirect ( http 301) this request domain.com/pl/_company-id/SOME_DIGITS New request should look like this: domain.com/_company-id/SOME_DIGITS/?language_code REGEX domain.com/pl/_company-id/(\d+) domain.com/_company-id/$1/?language_code So I need to match SOME_DIGITS string and put it after new URI + put another sting later Should I change SOME_DIGITS to variable and use it later ? How can I do it ? I've no idea how to achive this goal, please help if anyone knows. best regardsSolved623Views0likes2CommentsDetect regexp pattern in tcp payload
I was hoping someone could help me out on the proper syntax and approach to using either matches_regex or regexp to match a string pattern in a tcp payload. Basically I am trying to detect if within a payload there is a string comprised of 8-16 characters that can be either upper lower case or numeric, no spaces or returns. I have tried the following but have had no success: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { set payload [TCP::payload] if { [regexp {[a-zA-Z0-9] {8,16}} $payload] } { log local0. "Got a match!" } } My regex isn't strong so I don't know if that's where I'm messing up or if my syntax/approach to this iRule is wrong. I haven't found the matches_regex or regexp documentation to be all too helpful so hoping the dev community can help out!451Views0likes3CommentsStream expression for TCP payload
So I have been trying to find the most efficient way to detect string patterns within HTTP payloads. I have found out the best way to tackle this (from what I know so far) is to use a stream profile within a HTTP_RESPONSE event and specify a reg expression. So for my test, I wanted to capture alpha numeric string between 13-16 characters long. I was specifically looking for the value AAAFFFggg12345 and was successful. I did return other values but thats beside the point I'm getting to. This is how I approached it a stream profile within a HTTP_RESPONSE event. when HTTP_REQUEST { STREAM::disable if { [HTTP::header value "Host"] equals "winweb1.clearshark.net"} { set host [HTTP::header value "Host"] HTTP::header remove "Accept-Encoding" } } when HTTP_RESPONSE { if {[info exists host]} { if {$host equals "winweb1.clearshark.net"} { STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } } when STREAM_MATCHED { log local0. "Stream matched [STREAM::match]" } Now... I want to do the same exact thing, but not within an HTTP_RESPONSE event. Essentially I want to just look within a TCP payload and find the same string. I have tried the following but have had no success. when CLIENT_ACCEPTED { STREAM::disable } when SERVER_CONNECTED { TCP::collect if {[IP::client_addr] equals "172.16.211.103"} { log local0. "Stream enabled" STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } when STREAM_MATCHED { log local0. "[IP::client_addr]:[TCP::local_port] : Matched : [STREAM::match]" } I am not seeing the string value AAAFFFggg12345 in my logs like I did when triggering within a HTTP_RESPONSE event. I know this seems like a quirky use case but this is simply for a proof of concept for a client. If I can successfully make this happen, I'll branch off to other tests. But I need to make sure this works first before I move forward. I appreciate any and all help!302Views0likes2CommentsiRule Assistance
Hello, Glorious people of DevCentral, I am facing an issue with a couple of iRules that are doing the same thing. First off, here is what the iRule looks like: when HTTP_REQUEST { if{[HTTP::host] eq "example.home.com" and [HTTP::path] matches_regex "/home(/.*)\?" or [HTTP::path] matches_regex "/home/services(/.*)\?" or [HTTP::path] matches_regex "/index(/.*)\?" or [HTTP::path] matches_regex "/default(/.*)\?" or [HTTP::path] matches_regex "/home/services/register(/.*)\?" } pool myPool ASM::enable MyPoolASM } I have one Virtual Server where I am applying 5 iRules, and all these 5 iRules have the same pattern, but different regex matches and different pools to send traffic to. Now, when I put one iRule (like the one above), it works properly without any issues. However, if I put more than 1 iRule it immediately stops working and I get resets from the F5. All 5 iRules are looking for the same host match (example.home.com) so the first 2 lines of all 5 iRules are same. Please let me know if I am doing anything wrong in the iRule, or if I can have multiple iRules with the "when HTTP_REQUEST" on a same VS. Thank You, Mohammad Hamad247Views0likes2CommentsHTTP Health Monitor in Receive Strings with Regular Expressions
Hello Community, I need to monitor http servers with regular expressions in the http receive strings. If receive string exact match with "Healthy" word then F5 send the requests to the servers. list ltm monitor http Healthy { adaptive disabled defaults-from http destination 10.0.1.20:http interval 5 ip-dscp 0 recv \bHealthy\b recv-disable none send "GET / HTTP/1.1\r\nHost: 10.0.1.20\r\nConnection: Close\r\n\r\n" time-until-up 0 timeout 16 } Server up and running and regex is fine but pool members are down. I need some help in this topic. Thank You / Best Regards2.2KViews0likes5CommentsASM - regex in Parameter Name
Hi, I'm looking for a possibility to implement a dynamic parameter, that contains a string that may vary as parameter name itself. It's something like this: <soap:Envelope xmlns...> <abcd:Envelope xmlns...> <fghjkl:Envelope xmlns...> I thought of creating a Wildcard Parameter like this: <[a-zA-Z0-9]{2,15}:Envelope* so it matches an alphanumeric, 2-15 chars long string. Unfortunately it seems that you can't use any quantifiers in the parameter name (at least according to this thread from 11 years ago: https://devcentral.f5.com/s/question/0D51T00006i7VCi/regex-in-parameter-name ) Does anyone know if there is any solution to this problem by now? Or if there is a possibility to do this in a syntax that is supported? (the 2-15 is not mandatory, could be more or less chars too) Otherwise I'm afraid that I really have to follow the suggestion from this thread and add 14 different parameters, one for each length :( Thanks in advance!902Views0likes3Commentsirule + regex
Hi All, New to F5 and irules in general. We have a situation where we need to grab a portion of the HTTP Post that come into the BIGIP, Look for string, and send a manipulated HTTP Post to the Pool. My thought was to use Regexp to grab the needed potion of the URL, put that into a variable, then create a new HTTP POST and send it to the specified Pool. Any thoughts or advice? or example scripts I can view/modify Example: Initial HTTP POST: https://example.com/-payload/somefile.html Regex grabs the payload and put it into a var. Modified HTTP Post that needs to go to the Pool will look like this : https://payload.example.com/somefile.html314Views0likes1Comment