Reject based on string in HTTP header

Question

All,&nbsp;
 &nbsp;
I want the F5 to reject (or drop) packets that have specific string/text in the HTTP header. I found this:&nbsp;
 &nbsp;
when HTTP_REQUEST {&nbsp;
if { [HTTP::header exists Morfeus Scanner] } {&nbsp;
reject&nbsp;
}&nbsp;
}&nbsp;
&nbsp;
When I try to add the above iRule I get an error that there are too many arguments in line 2. I removed the second word (Scanner) and it accepted the iRule. BUT, I would prefer to have both words included. Is there a way to do that? Do I use quotes?&nbsp;
 &nbsp;
Thanks&nbsp;
 &nbsp;

kevin_stewart · Answer

Try this:

when HTTP_REQUEST {
foreach header {Morfeus Scanner} {
if { [HTTP::header exists $header] } {
log local0. "Caught $header header"
reject
}
}
}

The [HTTP::header exists ] command just works on the name of the header, so if you want to capture a header with "Morfeus" or "Scanner" in the value you'll need to modify the iRule.

j_saunders_4728 · Answer

Thanks. Will give it a try and update this thread.

arie · Answer

If it's likely that you will want to block on additional values in the future you may want to consider using a class (Data Group). Just keep in mind that the class and/or values won't be available when you save the class.

Forum Discussion

Reject based on string in HTTP header

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

irule reject request when payload field is null

string first replacement procedure for ID999881

Security headers

issue with irule redirecting with # string

C3D and header insert