Manual Chapter :
iRule events
Applies To:
Show VersionsBIG-IP FPS
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
iRule events
iRules® can subscribe to the
ANTIFRAUD_ALERT
event and the ANTIFRAUD_LOGIN
event in
Fraud Protection Service (FPS).
iRule event | Description |
---|---|
ANTIFRAUD_ALERT | Occurs when alerts are sent to the BIG-IP system. |
ANTIFRAUD_LOGIN | Occurs when a user successfully logs in to the profile. Or if login validation is
not configured, this event can occur if just the user name is identified. |
iRule Examples
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to
log all available information about an alert that was sent by the BIG-IP system to the
location /var/log/ltm
.when ANTIFRAUD_ALERT{ log local0. "=========Anti-Fraud Alert=========" log local0. "Alert Identifier: [ANTIFRAUD::alert_id]" log local0. "Alert Type: [ANTIFRAUD::alert_type]" log local0. "Alert Component: [ANTIFRAUD::alert_component]" log local0. "Alert Details: [ANTIFRAUD::alert_details]" log local0. "Alert GUID: [ANTIFRAUD::alert_guid]" log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]" log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]" log local0. "Alert Score: [ANTIFRAUD::alert_score]"log local0. "Alert Transaction Data: [ANTIFRAUD::alert_transaction_data]"log local0. "Alert Username: [ANTIFRAUD::alert_username]" log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]" log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]"log local0. "Alert min parameter: [ANTIFRAUD::alert_min]" log local0. "Alert HTML: [ANTIFRAUD::alert_html]"}
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to
disable a specific alert according to its type.when ANTIFRAUD_ALERT{ if {[ANTIFRAUD::alert_type] eq "components_validation"}{ log local0. "Alert Type is components validation" ANTIFRAUD::disable_alert log local0. "Disabled Alert" } }
The following example shows how an iRule uses the
ANTIFRAUD_LOGIN
event
with its commands.when ANTIFRAUD_LOGIN{ log local0. "=========Anti-Fraud Login=========" # read mode log local0. "Username: [ANTIFRAUD::username]" log local0. "GUID: [ANTIFRAUD::guid]" # write mode ANTIFRAUD::username "other_user" }
Values for iRule
commands
The following values can be used in iRule commands:
Value | Description |
---|---|
alert_id | For example, d4. |
alert_type | The type of alert. |
alert_component | An error type that is determined according to the
alert_type. |
alert_details | Additional information regarding the alert. |
alert_guid | Used to identify which users have been infected with
malware before the user logs in. |
alert_device_id | Persistent browser identifier. |
alert_license_id | crc32 of the license id in hex. |
alert_score | The score of the vtoken alert, this is the sum of all
the vtoken errors found. |
alert_transaction_data | Key-value list of all parameters marked to be
attached. |
alert_username | Usually just a username, except for vtrack
phishing user alert where it will be the username and all key-value pairs of the
fields the customer chooses to see. It is possible to use additional arguments to override the
current user name (write mode), as shown in the ANTIFRAUD_LOGIN example above. |
alert_http_referrer | The URL of the site that was visited just before the
Alert URL was visited. |
alert_additional_info | A list of keys and values that describes the
failure of the integrity parameters check, or the parameter values too long error
message. |
alert_forbidden_added_element | For the external_sources alert. Contains the forbidden
added HTML element and its content, in an escaped base64 format. |
alert_bait_signatures | For the trojan_bait alert. Contains the bait_signatures
in an escaped base64 format. |
alert_html | The entire HTML content in an escaped base64
format. |
disable_alert | Disables the current alert. |
https://devcentral.f5.com/irules
).