Hi ! Since few days i see in the system log the line: "HTTP line too long (len is 31415)" Its is class of an attack? I can't to determine what IP try to use Long HTTP. How i can troubleshoot this issue? Thanks !!
Hello - One way to diagnose this is with an aflex script:
Apply the following aFlex script to all suspected HTTP/HTTPS vPorts:
when CLIENT_ACCEPTED {
table set logme [IP::client_addr] [IP::local_addr]
}
when HTTP_RESPONSE {
table delete logme [IP::client_addr]
}
when CLIENT_CLOSED {
if { [table lookup "logme" [IP::client_addr]] != "" } {
log "request failed for client [IP::client_addr] on VIP [IP::local_addr]"
table delete logme [IP::client_addr]
}
}
You should then see an additional log line for each of the above warnings:
Jun 20 2017 13:20:01 Warning [ACOS]:HTTP header (len=122) "kjdfhlksdjhfkldsjh(P*&(*&(ISAUDF)AUDF)AUDS)AUD+)AUD_)A*UD+)AU*D)ASIUD+)ADU)ASDIU+)ASUD)+UD)U_)*@$&_)" is too long
Jun 20 2017 13:18:45 Info [AFLEX]:logFails:request failed for client 10.2.24.1 on VIP 10.2.24.100
Comments
We are seeing the same message, and are equally clueless how to find which virtual-service is/are receiving these requests...
Any updates?
Hello - One way to diagnose this is with an aflex script:
Apply the following aFlex script to all suspected HTTP/HTTPS vPorts:
You should then see an additional log line for each of the above warnings: