Blocking access to a URI with paramaters?

Hi Thomas,

 

 

The simplest option would be to not configure a query string length on the no_ext file type (object type in 9.x). If you do need to allow a query string for some no_ext filetypes but not one in particular, you could use a custom attack signature applied to URIs.

 

 

The syntax for attack signatures is described in the ASM config guide:

 

 

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_guide_10_1/asm_apx_attack_sig_syntax.html

 

 

Using the uricontent rule option

 

The uricontent rule option matches when the specified string is found anywhere in the normalized URI, including the query string. The string match is case-sensitive, and must be exact. You can use the not character (!) in front of the string if you want the system to match when it does not find the exact specified string. Figure C.2 shows syntax examples for the uricontent keyword.

 

 

 

 

If you want to use a regex, you can follow these guidelines:

 

 

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_guide_10_1/asm_apx_attack_sig_syntax.html1014353

 

 

Summary of pcre modifiers

 

You can use the following modifiers with the pcre rule option. Table C.5 describes the scope modifiers.You can use only one scope modifier for the pcre rule option.

 

...

 

 

 

 

Check the URI with case-insensitivity for program? followed by anything in the URI.

 

pcre:"/program\?.+/Ui";

 

 

I haven't test this, but I think it should work for your scenario.

 

 

You'd want to add the custom attack sig to an existing attack sig set that's applied to the policy or create a custom attack sig set with this sig in it and then add that to the policy.

 

 

Aaron