F5Hopper_28651
Sep 27, 2012Nimbostratus
Regex in iRule
Im making a rule to catch bad code being in HTTP POST.
for some reason we have some sites trying to do some sort of XSS attack, but posting URL strings in the POST and then they get a 500error. Im trying to right a rule but cant get it sorted out.
when RULE_INIT {
set ::vDebug 1
}
when HTTP_REQUEST {
if { [HTTP::query] matches_regex {<[a-zA-Z!]} } {
if { $::vDebug } {
log local0. "Triggered by IP [IP::client_addr] with URI [HTTP::uri]"
}
reject
}
}
Not sure if Im even in the right ballpark on this one, I just want to catch in HTTP POST, not every connection.
Please see below for possible samples:
"
"
"
Thanks