Forum Discussion

Richard_Young_1's avatar
Richard_Young_1
Icon for Nimbostratus rankNimbostratus
Feb 16, 2010

I-Rule to Monitor Incoming Traffic

I want to write an I-Rule that will monitor traffic from a specified IP address. For instance I want to monitor whether a certain IP address sends an incoming message to the F5 with a specified time frames such as 1 message within a 1 minute time frame. If no incoming message is seen within the time frame then send an SMNP trap/message to a program that logs the event.

 

The incoming message is a HTTP Post request.
application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2010
    Hi Richard,

     

     

    In order to track if a client does not send a POST request within a minute of the prior POST request, you'd need to use the after command. This command was added in 10.0.0.

     

     

    You can use IP::addr to compare the client IP address against a single IP or network in the CLIENT_ACCEPTED event. You can check the HTTP request method and URI in the HTTP_REQUEST event. You can use the log command to log a special message that will trigger an SNMP trap.

     

     

    Here are a list of the wiki pages for the mentioned commands and events:

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/after

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/client_accepted

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/ip__addr

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/http_request

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/http__method

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/http__uri

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/log

     

     

    For details on configuring a custom SNMP trap, search on AskF5 for "custom snmp trap".

     

     

    If you try something and get stuck, let us know.

     

     

    Aaron