Re: perform action based on http method.

clayton-price · ‎12-29-2003

I've not been able to find a way to switch traffic based on http method. For example, I want to essentially drop all http traffic using the TRACE method. I don't think that a header-field with the request-line of "trace" would work. That would seem to apply more to specific content someone was trying to get vs. the http method.

Does anyone know of a way to do what I'm looking for?

Thanks!

stevehall · ‎12-29-2003

the request line should work. To realize that, you must realize that a request line contains something like the following (without the quotes):

"GET /index.html HTTP/1.0"

I tested this real fast in the lab, but sending a redirect instead of dropping, so I could tell it was working, and it worked..

you can configure the following:

!************************** SERVICE **************************

service dummy

ip address 10.10.10.10

keepalive type none

active

!********************* HEADER FIELD GROUP *********************

header-field-group trace-match

header-field .ida request-line contain "TRACE"

!*************************** OWNER ***************************

owner myrule

content block-trace

vip address 2.3.4.5

protocol tcp

port 80

url "/*"

header-field-rule .ida weight 0

add service dummy

active

of course, use your own VIP, instead of 2.3.4.5. Also, you can put a search length on the header-group so you will not catch anyone who puts "TRACE" in the url...

header-field .ida request-line contain "TRACE" 10

let me know if that does the trick or not!

-Steve

clayton-price · ‎12-29-2003

Thanks Steve!

So even if it is not an HTTP GET that they are performing it should work? I'm using header-fields to block nimda and code red etc, but all of those use an HTTP GET instead of HTTP TRACE.

I'll give it a shot.

Thanks!

stevehall · ‎12-29-2003

Clayton,

If they are doing a "GET" then they should not hit the rule with the "TRACE" header field...

-Steve