Forum Discussion
Kevin_Stewart
Oct 15, 2013Employee
Something like this maybe:
when HTTP_REQUEST {
if { not ( [class match [string tolower [HTTP::uri]] starts_with restrict_uri_dg] ) and not ( [class match [IP::client_addr] equals private_net] ) } {
log local0. "rejected request for [HTTP::uri] from [IP::client_addr]"
reject
}
}
where "restrict_uri_dg" is a string-based data group containing URI paths that are allowed. Example (note everything is lower case):
/smapps/f?p=202 := 1
/smapps/f?p=cac := 1
and "private_net" is an address-based data group containing the RFC 1918 address space. Example:
10.0.0.0/255.0.0.0
172.16.0.0/225.240.0.0
192.168.0.0/255.255.0.0