Manual Chapter : iRule events

Applies To:

Show Versions Show Versions

BIG-IP FPS

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.0
Manual Chapter

iRule events

iRules® can subscribe to the
ANTIFRAUD_ALERT
event and the
ANTIFRAUD_LOGIN
event in
Fraud Protection Service (FPS).
iRule event
Description
ANTIFRAUD_ALERT
Occurs when alerts are sent to the BIG-IP system.
ANTIFRAUD_LOGIN
Occurs when a user successfully logs in to the profile. Or if login validation is not configured, this event can occur if just the user name is identified.

iRule Examples

The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to log all available information about an alert that was sent by the BIG-IP system to the location
/var/log/ltm
.
when ANTIFRAUD_ALERT{ log local0. "=========Anti-Fraud Alert=========" log local0. "Alert Identifier: [ANTIFRAUD::alert_id]" log local0. "Alert Type: [ANTIFRAUD::alert_type]" log local0. "Alert Component: [ANTIFRAUD::alert_component]" log local0. "Alert Details: [ANTIFRAUD::alert_details]" log local0. "Alert GUID: [ANTIFRAUD::alert_guid]" log local0. "Alert Device ID: [ANTIFRAUD::alert_device_id]" log local0. "Alert License ID: [ANTIFRAUD::alert_license_id]" log local0. "Alert Score: [ANTIFRAUD::alert_score]"
log local0. "Alert Transaction Data: [ANTIFRAUD::alert_transaction_data]"
log local0. "Alert Username: [ANTIFRAUD::alert_username]" log local0. "Alert HTTP Referrer: [ANTIFRAUD::alert_http_referrer]" log local0. "Alert Additional Info: [ANTIFRAUD::alert_additional_info]"
log local0. "Alert min parameter: [ANTIFRAUD::alert_min]" log local0. "Alert HTML: [ANTIFRAUD::alert_html]"
}
The following example shows how an iRule uses the
ANTIFRAUD_ALERT
event to disable a specific alert according to its type.
when ANTIFRAUD_ALERT{ if {[ANTIFRAUD::alert_type] eq "components_validation"}{ log local0. "Alert Type is components validation" ANTIFRAUD::disable_alert log local0. "Disabled Alert" } }
The following example shows how an iRule uses the
ANTIFRAUD_LOGIN
event with its commands.
when ANTIFRAUD_LOGIN{ log local0. "=========Anti-Fraud Login=========" # read mode log local0. "Username: [ANTIFRAUD::username]" log local0. "GUID: [ANTIFRAUD::guid]" # write mode ANTIFRAUD::username "other_user" }

Values for iRule commands

The following values can be used in iRule commands:
Value
Description
alert_id
For example, d4.
alert_type
The type of alert.
alert_component
An error type that is determined according to the alert_type.
alert_details
Additional information regarding the alert.
alert_guid
Used to identify which users have been infected with malware before the user logs in.
alert_device_id
Persistent browser identifier.
alert_license_id
crc32 of the license id in hex.
alert_score
The score of the vtoken alert, this is the sum of all the vtoken errors found.
alert_transaction_data
Key-value list of all parameters marked to be attached.
alert_username
Usually just a username, except for vtrack phishing user alert where it will be the username and all key-value pairs of the fields the customer chooses to see.
It is possible to use additional arguments to override the current user name (write mode), as shown in the
ANTIFRAUD_LOGIN
example above.
alert_http_referrer
The URL of the site that was visited just before the Alert URL was visited.
alert_additional_info
A list of keys and values that describes the failure of the integrity parameters check, or the
parameter values too long
error message.
alert_forbidden_added_element
For the external_sources alert. Contains the forbidden added HTML element and its content, in an escaped base64 format.
alert_bait_signatures
For the trojan_bait alert. Contains the bait_signatures in an escaped base64 format.
alert_html
The entire HTML content in an escaped base64 format.
disable_alert
Disables the current alert.
For more information about iRules, go to F5 Networks DevCentral (
https://devcentral.f5.com/irules
).