Problem: F5 iRules with “class match” crash sometimes with this message:
/Common/UA_DETECT
– ambiguous option “-“: must be -all, -index, -element, -name, or -value while executing “class match [string tolower [HTTP::header User-Agent]] contains UA_STRINGS”
Discussion: the class match command has optional parameters, when the HTTP header User-Agent starts with a “-” it gets intepreted by the tcl interpreter. This is dangerous, because it’s actually a kind of code injection, with possible terrible impact.
Solution: add “‐‐” as first parameter to the class match command
class match ‐‐ [string tolower [HTTP::header User-Agent]] contains UA_STRINGS
Version: F5 LTM 12.1.2