Forum Discussion

axteliano_34959's avatar
axteliano_34959
Icon for Nimbostratus rankNimbostratus
Mar 23, 2018

Trying to Block a http-uri with irule

Resolved:

my irule its worked after to 20 minute. i didn´t need to modified nothing. thanks alot

Hi I want to config new iRule to block URL, for example: I need to block the next url:

"23/Mar/2018:00:26:13 -0600" "172.17.73.1" "10.25.13.51" "943BB11603D4" "GET /Mirada_Test-portal-fw-war-11.6.3/private/poll2.ajax?hash=-1314623823 HTTP/1.1" 200 54 "75
`


but the content after of hash is variante.

this is my irule but dont work:

`when HTTP_REQUEST {
     if { [string tolower [HTTP::uri]] starts_with "/Mirada_Test-portal-fw-war-11.6.3/private/poll2.ajax*" } {
     drop
    }
}

do you have any idea, why dont work this?

4 Replies

    • axteliano_34959's avatar
      axteliano_34959
      Icon for Nimbostratus rankNimbostratus

      thanks, but my irule its worked after to 20 minute. i didn´t need to modified nothing. thanks alot

       

  • Impressive! This code can't work and you say it's now working.

     

    there are 2 issues in the code:

     

    • string "/Mirada_Test-portal" can't match a string forced to lower case
    • even if you remove the string tolower, the character * in the condition is not in the requested URI. it is not used as a wildcard.

    try this:

     

    when HTTP_REQUEST {
         if { [string tolower [HTTP::path]] equals "/mirada_test-portal-fw-war-11.6.3/private/poll2.ajax" } {
         drop
        }
    }
  • Dear axteliano,

     

    I'm very new in F5, but why don't you try to create a signature to block this?

     

    Fo my example, I've created a rule to block /etc/passwd, ignore the fact that this already exists into ASM database signatures.

     

    Sould be similar to:

     

    1 - Security -> Options -> Application Security -> Attack Signatures -> Create...

     

    Name:Attempt Password File

     

    Systems: Unix/Linux

     

    Attack Types: Information Leakage

     

    Rule: uricontent:"/etc/passwd"; nocase; objonly;

     

    Accurancy: Low

     

    Risk: High

     

    2 - To define block:

     

    2.1 - Security -> Application Security -> Attack Signatures -> Find the name, "Attempt Password File"

     

    2.2 - Select it and Change Properties Enable: Yes

     

    Perform Staging: No

     

    2.3 - Apply changes to Selected Attack Signatures

     

    2.4 - Apply Policy

     

    Best Regards

     

    Barone