Options
count source IP with x-forwarded-for
Hi
May I count source IP with x-forwarded-for filed by aflex? ex: if one the same source IP connection more then 1000 in one min or 5 min, then log in syslog.
I have referred "rate-limit-connection-requests" tcl, like below:
when RULE_INIT {
set ::MAX_REQUESTS 1000
}
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
set IP [getfield [HTTP::header X-Forwarded-For] "," 1]
} else { set IP [IP::client_addr]
}
if { [table lookup tmp_request $IP] == "" } {
table set tmp_request $IP 1
log "$IP -> request counter created"
}
set request_count [table incr tmp_request $IP]
if { $request_count > $::MAX_REQUESTS } {
log "$IP connection > $::MAX_REQUESTS "
}
}
But it seem accumulator IP in the table,can't count by timers(sec or min)
Does there have solution for this ?
Thanks.
May I count source IP with x-forwarded-for filed by aflex? ex: if one the same source IP connection more then 1000 in one min or 5 min, then log in syslog.
I have referred "rate-limit-connection-requests" tcl, like below:
when RULE_INIT {
set ::MAX_REQUESTS 1000
}
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
set IP [getfield [HTTP::header X-Forwarded-For] "," 1]
} else { set IP [IP::client_addr]
}
if { [table lookup tmp_request $IP] == "" } {
table set tmp_request $IP 1
log "$IP -> request counter created"
}
set request_count [table incr tmp_request $IP]
if { $request_count > $::MAX_REQUESTS } {
log "$IP connection > $::MAX_REQUESTS "
}
}
But it seem accumulator IP in the table,can't count by timers(sec or min)
Does there have solution for this ?
Thanks.
0
Comments
Hope this works for you.
when RULE_INIT {
set ::MAX_REQUESTS 100
# timelimit in seconds
set ::TIMELIMIT 60
}
when HTTP_REQUEST {
if { [HTTP::header exists "X-Forwarded-For"] } {
set IP [getfield [HTTP::header X-Forwarded-For] “,” 1]
} else { set IP [IP::client_addr]
}
# Check if there is an entry for the client_addr in the table
if { [ table lookup tmp_table -notouch $IP ] != "" } {
# If the value is less than MAX_REQUESTS (1000) increment it by one
if { [ table lookup tmp_table -notouch $IP ] < $::MAX_REQUESTS } {
log "Number of requests from client = [ table lookup tmp_table -notouch $IP ]"
table incr tmp_table -notouch $IP 1
} else {
# log the message with the ratelimit exceeds
log "Client has exceeded the number of allowed requests of [ table lookup tmp_table -notouch $IP ]"
}
} else {
# If there is no entry for the client_addr create a new table to track number of HTTP_REQUEST. timeout is set to TIMELIMIT mentioned
log " Table created for $IP "
table set tmp_table $IP 1 $::TIMELIMIT
}
}
#the table with client IP, timeout will be the TIMELIMIT mentioned.
Thank you very much , this helpful for me.
Thank you again .
I get error message "aFleX syntax error: line 9: "unknown command "table"" when apply the aflex to AX serial ( it is work on ACOS serial ) , does AX serial not support "table" syntax?
Thanks for your support.