ltm rule event BOTDEFENSE ACTION
iRule(1) BIG-IP TMSH Manual iRule(1)
BOTDEFENSE_ACTION
Bot Defense event upon HTTP request, after action is decided.
DESCRIPTION
Triggered immediately prior to taking an action on a transaction. The
event may be used to override the default behavior, and/or to log the
action taken.
This event is always triggered when Proactive Bot Defense is enabled on
the DOS profile, unless the request is mitigated by dosl7 attack. The
event will also be triggered if Proactive Bot Defense is disabled, but
a Bot Signature was detected on the request, whether for blocking or
for reporting.
Most of the command that are available on the HTTP_REQUEST event are
also available on the BOTDEFENSE_ACTION event.
Note that commands which may suspend iRule processing are currently not
supported in this event and should not be used. Partial list of these
commands: after, persist, session, table, and RESOLV::lookup.
Examples
# EXAMPLE 1: Send parsed Bot Defense data and action to High Speed Logging
when BOTDEFENSE_ACTION {
set log "BOTDEFENSE:"
append log " uri [HTTP::uri]"
append log " cs_possible [BOTDEFENSE::cs_possible]"
append log " cs_allowed [BOTDEFENSE::cs_allowed]"
append log " cs_attribute(device_id) [BOTDEFENSE::cs_attribute device_id]"
append log " cookie_status [BOTDEFENSE::cookie_status]"
append log " cookie_age [BOTDEFENSE::cookie_age]"
append log " device_id [BOTDEFENSE::device_id]"
append log " support_id [BOTDEFENSE::support_id]"
append log " previous_action [BOTDEFENSE::previous_action]"
append log " previous_support_id [BOTDEFENSE::previous_support_id]"
append log " previous_request_age [BOTDEFENSE::previous_request_age]"
append log " bot_signature [BOTDEFENSE::bot_signature]"
append log " bot_signature_category [BOTDEFENSE::bot_signature_category]"
append log " captcha_status [BOTDEFENSE::captcha_status]"
append log " captcha_age [BOTDEFENSE::captcha_age]"
append log " default action [BOTDEFENSE::action]"
append log " reason \"[BOTDEFENSE::reason]\""
log local0. $log
HSL::send $hsl $log
}
# EXAMPLE 2: Bypassing enforcement on URL pattern
when BOTDEFENSE_ACTION {
if {[HTTP::uri] starts_with "/t/"} {
log local0. "bypassing enforcement for URI [HTTP::uri]"
set res [BOTDEFENSE::action allow]
log local0. "set action to allow, result \"$res\""
log local0. "resulting action [BOTDEFENSE::action] reason \"[BOTDEFENSE::reason]\""
}
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-12.1 --First introduced the event.
BIG-IP 2017-01-31 iRule(1)