blocking content with iRules

Sure thing. In your example "/dir/1315=bad2144" is contained in the HTTP::uri variable. If you are looking just for "bad2144" then this should work.

when HTTP_REQUEST { 
   if { [string tolower [HTTP::uri]] contains "bad2144" } { 
     drop 
   } 
 }

You could replace "drop" with a "HTTP::redirect new_url" if you want to issue a redirect.

Also, if you want to be more specific about your match or match more than one value then you can make use of a switch statement.

-Joe

thank you very much.. If I wanted to exclude a specific http url, do I add it in front of this rule?

 

Is there any example you can give?

Is the bad string found in a parameter value (/dir/1315?param=bad2144)? If so, you might want to verify whether the application accepts the same parameter in the payload of a POST request. A malicious user could potentially use an interception proxy to modify the request from a GET to a POST and include the parameter in the POST data. Also, for the URI check, you could be more specific using HTTP::query.

 

 

If you want to only check for the bad2144 string for a specific URI, you could add a check:

 

 

if {[HTTP::uri] starts_with "/some/path" && [HTTP::query] contains "bad2144"}{

 

 

If the app is not case sensitive, you could set the URI to lower case:

 

 

if {[string tolower [HTTP::uri]] starts_with "/some/path" && [HTTP::query] contains "bad2144"}{

 

 

Aaron

 

Is an example of what I want to dream of doing.

 

Would this work? Is there a way I can specify a url instead of an IP ?

 

 

 

class WebServers {

 

host 10.10.5.2

 

host 10.10.5.3

 

network 10.10.0.0/16

 

}

 

 

class BadStrings {

 

";declare"

 

";select"

 

";insert"

 

";update"

 

";delete"

 

";exec"

 

";sp"

 

" " " " }

 

 

when HTTP_REQUEST {

 

if { [matchclass [IP::server_addr] equals $::WebServers]} {

 

if { [matchclass [string tolower [HTTP::uri]] equals $::BadStrings]} {

 

drop

 

}

 

}

 

}

thank you.. when I run this script, I get

 

 

01070151:3: Rule [sql_injections] error: line 1: [undefined procedure: class] [class Hosts { host 10.5.5.2 host 10.5.5.3 }]

 

 

here is my irule.

 

----------

 

 

 

class Hosts {

 

host 10.5.5.2

 

host 10.5.5.3

 

}

 

 

class badStrings {

 

";declare"

 

";select"

 

";insert"

 

";update"

 

";delete"

 

";exec"

 

";sp"

 

" " " " }

 

 

when HTTP_REQUEST {

 

if { [matchclass [IP::server_addr] equals $::Hosts]} {

 

if { [matchclass [string tolower [HTTP::uri]] equals $::badStrings]} {

 

log local0. "Dropping URI: [HTTP::uri]"

 

drop

 

}

 

}

 

}

The class definitions aren't part of the iRule itself. You'd need to create those separately, either through bigpipe commands or in the management interface.

 

 

Note, "class" is also known as "data group". Either term can mean the same thing. I believe the management interface lists them as Data groups.

when I add the classes through the GUI, it doesn't seem to like

 

the strings I'm typing in.. because when I go back to look at the

 

badStrings class, the half the strings I've entered are missing.

 

 

I've tried the below with the quotes and I've also tried without the quotes.

 

I have to leave out the ; too and then when I go back in all of them are present.

 

Anyway.. I tried to test to see if it drops the connection, by hitting our site

 

with

 

 

http://www.mysite333.net/file4.cfm;declare

 

 

I get a page instead of a dropped connection. Do you where the logging is done for big-IP? I checked all the logs on Big-IP but don't see anything being logged for dropped connections.

 

 

strings

 

 

";declare"

 

";select"

 

";insert"

 

";update"

 

";delete"

 

";exec"

 

";sp"

 

" " " "

 

 

Can you log the value of the class from the iRule to see what's been added (log local0. "class \$::badStrings: $::badStrings". Or more accurately, can you list the contents using 'b class badStrings list'? You may need to escape the ; with \. If you use log local0. "some string", the output is written by default to /var/log/ltm. TCL errors from iRules would also be written to the ltm log file.

 

 

Aaron

When I do a "class list all" through the console, I get

 

 

class badStrings {

 

";DECLARE"

 

";delete"

 

";exec"

 

";insert"

 

";select"

 

";sp"

 

";update"

 

 

which looks fine.

 

 

I'll check the logs

The iRule I created is:

 

I get a syntax error.

 

 

 

when HTTP_REQUEST {

 

if { [matchclass [IP::server_addr] equals $::Hosts]} {

 

if { [matchclass [string tolower [HTTP::uri]] equals $::badStrings]} {

 

(log local0."class \$::badStrings: $::badStrings"

 

drop

 

}

 

}

 

}