Forum Discussion

dariusz_19888's avatar
dariusz_19888
Icon for Nimbostratus rankNimbostratus
Aug 18, 2017

IRULE - if { [HTTP::uri] matches_regex...

Hello, I try build irule which stop SQL Injection - I have some problem with using regex.

Negation [^value] - https://support.f5.com/csp/article/K5917 

"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i"

"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"

"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"
"/((\%3C)|<)[^\n]+((\%3E)|>)/I"

This is example - How I schould build irule - if I would like optimalise checking of regex and reduce using of CPU? 
when HTTP_REQUEST {
if { [HTTP::uri] matches_regex "/(\%27)|(\')|(\-\-)|(\%23)|()/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/((\%27)|(\'))union/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/exec(\s|\+)+(s|x)p\w+/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/((\%3D)|(=))*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i" }
   { reject }
if { [HTTP::uri] matches_regex "/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I " }
   { reject }
if { [HTTP::uri] matches_regex "/((\%3C)|<)[^\n]+((\%3E)|>)/I" }
   { reject }
if { [HTTP::uri] matches_regex "//((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix" }
   { reject }
}

BR Darek

iRules
security

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 18, 2017

    To optimize CPU, you may use switch with -regexp option.

     

    https://devcentral.f5.com/wiki/iRules.switch.ashx

     

    If you want to use if, use elseif for each next conditions. If a condition matches, your code check next conditions.

     

    Do not use multiple times [HTTP::uri], store it in a variable: [HTTP::uri] execute a command extracting uri from HTTP request.