Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Irule help

Folks

I have requirement to the request start with /abc/ directory and contains the parameter si or di the value of this parameter should not exceed more than 50 characters , if exceed should drop if less should allow. cheers snl

0
Rate this Question
Comments on this Question
Comment made 5 months ago by snl 511

done some research found below , how i can call the parameters in this particular those 2 value

when RULE_INIT {
  set DEBUG 1
  set sec_http_max_post_data_length 50
}

when HTTP_REQUEST {
  if { [string tolower [HTTP::uri]] equals "/abc/" and [HTTP::method] equals "POST" } {
    set len [HTTP::header "Content-Length"]
      if { [expr $len > $::sec_http_max_post_data_length] } {
        log local0. "  SEC-ALERT: POST Length: uri=[HTTP::uri]; len=$len; max_len=$::sec_http_max_post_data_length"
        reject
      }
    }
  }
}
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You'll want to create static variables in RULE_INIT to maintain CMP.

when RULE_INIT {
    set static::DEBUG 1
    set static::sec_http_max_post_data_length 50
}
when HTTP_REQUEST {
    if { ( [string tolower [HTTP::uri]] equals "/abc/" ) and ( [HTTP::method] equals "POST" ) } {
        set len [HTTP::header "Content-Length"]
        if { [expr {$len > $static::sec_http_max_post_data_length}] } {
            log local0. "  SEC-ALERT: POST Length: uri=[HTTP::uri]; len=$len; max_len=$static::sec_http_max_post_data_length"
            reject
        }
    }
}
0
Comments on this Answer
Comment made 5 months ago by snl 511

Hi Kevin

how i can call the parameters in this IRULE

example si and di (restrict to 50 characters)

snl

0
Comment made 5 months ago by Kevin Stewart

Ah, missed that part. So in a POST request, parameters are typically URL-encoded in the payload,

di=foo&si=bar

So to get to them you have to do an HTTP::collect and process the payload in the HTTP_REQUEST_DATA event. Here's what that specific piece of code might look like:

when HTTP_REQUEST {
    if {[HTTP::method] eq "POST"}{
        if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
            set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length 1048576
        }
        if { $content_length > 0} {
            HTTP::collect $content_length
        }
    }
}
when HTTP_REQUEST_DATA {
    ## payload will be in the form of 'key1=value1&key2=value2', so creating a list split on the '&'
    set payload_list [split [HTTP::payload] "&"]
    ## now search the list for your values
    if { ( [lsearch -glob $payload_list "di=*"] >= 0 ) or ( [lsearch -glob $payload_list "si=*"] >= 0 ) } {
        ## do something
    }
}
0
Comment made 5 months ago by snl 511

Hi Kevin

thanks for your help , i want to restrict each value (foo & bar) to be not allow more than 50 characters

is this doable on this irule , from your i rule i can see the content_length 1048576 ( i.e 1 mb i guess)

cheers snl

0
Comment made 5 months ago by Kevin Stewart

The whole point of the stuff in the HTTP_REQUEST event is to collect what's in the Content-Length header, or no more than 1mb of it.

The POST data will be in the request payload, so you have to first collect, which triggers the HTTP_REQUEST_DATA event, before you can see it. So then once you're inside the HTTP_REQUEST_DATA event, you could do something like this:

when HTTP_REQUEST_DATA {
    set payload_list [split [HTTP::payload] "&"]
    foreach x ${payload_list} {
        if { ( ${x} starts_with "si=" ) and ( [expr {[string length [lindex [split ${x} "="] 1]] >= 50}] ) } {
            ## si value over 50 - do something
        }
        if { ( ${x} starts_with "di=" ) and ( [expr {[string length [lindex [split ${x} "="] 1]] >= 50}] ) } {
            ## di value over 50 - do something
        }
    }
}

Let's say the payload is this:

si=foo&di=bar

You first split the payload on the "&" character to create a list (si=foo, di=bar). You then loop through the list. If the value starts with "si=", find for the value by splitting on the "=" character and look for the second list value (lindex value 1), and then make a string length evaluation. If the value is >= 50, do something.

0
Comment made 5 months ago by snl 511

Thanks for your time Kevin , i will check and update

0