HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE

Question

hello,&nbsp;
&nbsp;i have just noticed HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE events in v11. does anybody have idea what different HTTP_REQUEST_SEND and HTTP_REQUEST_RELEASE are and what situation HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE could be used (since HTTP_REQUEST_SEND and HTTP_RESPONSE may be applicable as well)?&nbsp;
&nbsp;[root@ve1100:Active] config  cat /var/log/ltm
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule CLIENT_ACCEPTED:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_REQUEST:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule SERVER_CONNECTED:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_REQUEST_SEND:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_REQUEST_RELEASE:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_RESPONSE:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule HTTP_RESPONSE_RELEASE:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule CLIENT_CLOSED:
&nbsp;Nov 25 21:10:09 tmm info tmm[5633]: Rule /Common/myrule SERVER_CLOSED:&nbsp;
&nbsp;any suggestions are welcome.&nbsp;
&nbsp;thanks!

hooleylist · Answer

Hi Nitass, 
&nbsp;  
&nbsp; I think the main reason HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE were added in v11 was to allow modification of HTTP headers after the plugin(s) like ASM, WA, etc, have processed the request and/or response. 
&nbsp;  
&nbsp; Aaron

nitass · Answer

thanks Aaron!

hooleylist · Answer

Here's an example iRule for ASM showing the various events:
when CLIENT_ACCEPTED {
    log local0. "[IP::client_addr]:[TCP::client_port]: [virtual name] [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
    log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] to [HTTP::host][HTTP::uri]"
}
when LB_SELECTED {
    log local0. "[IP::client_addr]:[TCP::client_port]: Selected: [LB::server]"
}
when LB_FAILED {
    log local0. "[IP::client_addr]:[TCP::client_port]: Failed: [LB::server]"
}
when HTTP_CLASS_SELECTED {
    log local0. "[IP::client_addr]:[TCP::client_port]: Selected [HTTP::class] class, ASM enabled: [HTTP::class asm]"
}
when HTTP_CLASS_FAILED {
    log local0. "[IP::client_addr]:[TCP::client_port]: No HTTP class match for [HTTP::uri]"
}
when ASM_REQUEST_VIOLATION {
    set x [ASM::violation_data]
    for {set i 0} { $i &lt; 7 } {incr i} {
        switch $i {
            0 { log local0. "[IP::client_addr]:[TCP::client_port]: violation=[lindex $x $i]" }
            1 { log local0. "[IP::client_addr]:[TCP::client_port]: support_id=[lindex $x $i]" }
            2 { log local0. "[IP::client_addr]:[TCP::client_port]: web_application=[lindex $x $i]" }
            3 { log local0. "[IP::client_addr]:[TCP::client_port]: severity=[lindex $x $i]" }
            4 { log local0. "[IP::client_addr]:[TCP::client_port]: source_ip=[lindex $x $i]" }
            5 { log local0. "[IP::client_addr]:[TCP::client_port]: attack_type=[lindex $x $i]" }
            6 { log local0. "[IP::client_addr]:[TCP::client_port]: request_status=[lindex $x $i]" }
        }
    }
}
when ASM_REQUEST_BLOCKING {
    log local0. "[IP::client_addr]:[TCP::client_port]: Blocking"
}
when HTTP_REQUEST_SEND {
    log local0. "[IP::client_addr]:[TCP::client_port]: Sending to [IP::server_addr]:[TCP::server_port]"
}
when HTTP_REQUEST_RELEASE {
    log local0. "[IP::client_addr]:[TCP::client_port]: "
}
when SERVER_CONNECTED {
    log local0. "[IP::client_addr]:[TCP::client_port]: "
}
when HTTP_RESPONSE {
    log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::status] response"
}
when ASM_RESPONSE_VIOLATION {
    set x [ASM::violation_data]
    for {set i 0} { $i &lt; 7 } {incr i} {
        switch $i {
            0 { log local0. "[IP::client_addr]:[TCP::client_port]: violation=[lindex $x $i]" }
            1 { log local0. "[IP::client_addr]:[TCP::client_port]: support_id=[lindex $x $i]" }
            2 { log local0. "[IP::client_addr]:[TCP::client_port]: web_application=[lindex $x $i]" }
            3 { log local0. "[IP::client_addr]:[TCP::client_port]: severity=[lindex $x $i]" }
            4 { log local0. "[IP::client_addr]:[TCP::client_port]: source_ip=[lindex $x $i]" }
            5 { log local0. "[IP::client_addr]:[TCP::client_port]: attack_type=[lindex $x $i]" }
            6 { log local0. "[IP::client_addr]:[TCP::client_port]: request_status=[lindex $x $i]" }
        }
    }
}
when HTTP_RESPONSE_RELEASE {
    log local0. "[IP::client_addr]:[TCP::client_port]: "
}
when CLIENT_CLOSED {
    log local0. "[IP::client_addr]:[TCP::client_port]: "
}
And a request being blocked:
&lt; CLIENT_ACCEPTED&gt;: 10.1.0.111:53444: /Common/ltm_ve11_asm_http_vs 10.1.0.114:80
&lt; HTTP_REQUEST&gt;: 10.1.0.111:53444: GET to 10.1.0.114/test.exe
&lt; HTTP_CLASS_SELECTED&gt;: 10.1.0.111:53444: Selected /Common/www.example.com class, ASM enabled: 1
&lt; ASM_REQUEST_VIOLATION&gt;: 10.1.0.111:53444: violation=VIOLATION_OBJ_LEN,VIOLATION_REQ_LEN,VIOLATION_OBJ_TYPE
&lt; ASM_REQUEST_VIOLATION&gt;: 10.1.0.111:53444: support_id=10169066720958873606
&lt; ASM_REQUEST_VIOLATION&gt;: 10.1.0.111:53444: web_application=/Common/www.example.com
&lt; ASM_REQUEST_VIOLATION&gt;: 10.1.0.111:53444: severity=Critical
&lt; ASM_REQUEST_VIOLATION&gt;: 10.1.0.111:53444: source_ip=10.1.0.111
&lt; ASM_REQUEST_VIOLATION&gt;: 10.1.0.111:53444: attack_type=ATTACK_TYPE_BUFFER_OVERFLOW,ATTACK_TYPE_FORCEFUL_BROWSING
&lt; ASM_REQUEST_VIOLATION&gt;: 10.1.0.111:53444: request_status=blocked
&lt; ASM_REQUEST_BLOCKING&gt;: 10.1.0.111:53444: Blocking
&lt; HTTP_RESPONSE_RELEASE&gt;: 10.1.0.111:53444:
&lt; CLIENT_CLOSED&gt;: 10.1.0.111:53444:
And a response being blocked:
&lt; CLIENT_ACCEPTED&gt;: 10.1.0.111:53567: /Common/ltm_ve11_asm_http_vs 10.1.0.114:80
&lt; HTTP_REQUEST&gt;: 10.1.0.111:53567: GET to 10.1.0.114/test.exe
&lt; HTTP_CLASS_SELECTED&gt;: 10.1.0.111:53567: Selected /Common/www.example.com class, ASM enabled: 1
&lt; LB_SELECTED&gt;: 10.1.0.111:53567: Selected: /Common/ubuntu_1ip_port0_pool 10.1.0.100 0
&lt; SERVER_CONNECTED&gt;: 10.1.0.111:53567:
&lt; HTTP_REQUEST_SEND&gt;: 10.1.0.111:53567: Sending to 10.1.0.100:80
&lt; HTTP_REQUEST_RELEASE&gt;: 10.1.0.111:53567:
&lt; HTTP_RESPONSE&gt;: 10.1.0.111:53567: 404 response
&lt; ASM_RESPONSE_VIOLATION&gt;: 10.1.0.111:53567: violation=VIOLATION_HTTP_STATUS_IN_RESPONSE
&lt; ASM_RESPONSE_VIOLATION&gt;: 10.1.0.111:53567: support_id=10169066720958873618
&lt; ASM_RESPONSE_VIOLATION&gt;: 10.1.0.111:53567: web_application=/Common/www.example.com
&lt; ASM_RESPONSE_VIOLATION&gt;: 10.1.0.111:53567: severity=Informational
&lt; ASM_RESPONSE_VIOLATION&gt;: 10.1.0.111:53567: source_ip=10.1.0.111
&lt; ASM_RESPONSE_VIOLATION&gt;: 10.1.0.111:53567: attack_type=
&lt; ASM_RESPONSE_VIOLATION&gt;: 10.1.0.111:53567: request_status=blocked
&lt; HTTP_RESPONSE_RELEASE&gt;: 10.1.0.111:53567:
&lt; CLIENT_CLOSED&gt;: 10.1.0.111:53567:
Aaron

Forum Discussion

HTTP_REQUEST_RELEASE and HTTP_RESPONSE_RELEASE

3 Replies

Recent Discussions

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Issue with HTTP_RESPONSE_RELEASE and redirect

ASM_REQUEST_DONE and HTTP_REQUEST_RELEASE issue

APM clientlessmode + HTTP_RESPONSE_RELEASE issue

Ultimate irule debug - Capture and investigate

Re: iRule to set SameSite for compatible clients and remove it for incompatible clients (LTM|ASM|APM)