For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

trx's avatar
trx
Jun 09, 2011

How do I detect a web dav request?

Hello ,

I would like to drop any web dav calls being made. Any one knows how this can be done?

 

 

 

ex)

 

 

 

when HTTP_REQUEST {

 

if { ([(WEB DAV) string tolower [HTTP::uri]] contains "xyz") } {

 

drop

 

return

 

}

 

}

 

 

 

 

Thanks.

 

 

 

Regards,

 

TRX

 

application delivery
dev
devops
iRules
v4

8 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 10, 2011
    Hi TRX,

     

     

    Here are two examples which deal with HTTP methods. If you're on 10.x and choose to store the methods you want to act on in a datagroup you should use the class command to do the lookup.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/DisablingHTTPProcessingForUnrecognizedHTTPMethods.html

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/URIKeywordAndHTTPMethodFiltering.html

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/class

     

     

    Aaron
  • trx's avatar
    trx
    Jun 13, 2011
    So it doesn't seem to be working. We still get this error in the IIS logs.

     

     

    2011-06-13 18:21:58 W3SVC1 192.168.254.189 GET /Rejected-By-UrlScan ~/portal/site/erp/404/ 80 - 167.3.22.167 Microsoft-WebDAV-MiniRedir/5.1.2600 404 0 2

     

     

     

    Here is the code I am using:

     

     

     

    when HTTP_REQUEST {

     

    selectively disable HTTP processing for specific request methods

     

    switch [HTTP::method] {

     

    "MOVE" -

     

    "COPY" -

     

    "LOCK" -

     

    "UNLOCK" -

     

    "PROPFIND" -

     

    "PROPPATCH" -

     

    "MKCOL" { HTTP::disable }

     

    }

     

    }

     

     

     

     

    So the WebDav is still getting through to the proxy server.

     

     

     

    Any ideas on why the code is NOT dropping the request etc. on the f5 level?

     

     

     

    Regards,

     

    TRX

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 13, 2011
    Try changing HTTP::disable to reject. HTTP::disable disables HTTP parsing of the request but still allows the request through to the pool. Reject will send a TCP reset.

     

     

    Aaron
  • trx's avatar
    trx
    Jun 13, 2011
    Hello ,

     

    I want the request to drop completely and do NOT even execute any other IRules.

     

     

    Would you use "disable" or "event disable all"?

     

     

    Thanks.

     

     

    Regards,

     

    TRX
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 13, 2011
    'event disable all' would prevent all further events from being run for the duration of the TCP connection. But reject should have the same effect as TMM will send the client a TCP reset and close the connection. I guess you could do both to be really complete: 

    
when HTTP_REQUEST {
    Send a TCP reset for WebDav methods
   switch [HTTP::method] {
      "MOVE" -
      "COPY" -
      "LOCK" -
      "UNLOCK" -
      "PROPFIND" -
      "PROPPATCH" -
      "MKCOL" {
         reject
         event all disable
      }
   }
}

    Aaron
  • FAZ_79699's avatar
    FAZ_79699
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2012
    did this work? I cant add both reject and "event all disable"

     

     

    it throws an "unknown event" error