Forum Discussion
Wizdem_38762
Nimbostratus
NimbostratusiRule to log for Microsoft Security Advisory (2659883) Vulnerability in ASP.NET Could Allow Denial of Service?
Hi,
Based on Microsoft's snort signature:
http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx
Ple...
hooleylist
Cirrostratus
CirrostratusHi Peter,
I'm not sure you can use the {1000,} count syntax with TCL or iRules. Regardless, a string pattern should be more efficient than a regex. Here's an untested example:
when RULE_INIT {
We want to check the payload for 500 or more parameter=value pairs
set static::pattern "[string repeat *& 500]*"
}
when HTTP_REQUEST {
Collect up to 1Mb of POST data
if { [HTTP::method] equals "POST"}{
set clength 0
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576 }{
set clength [HTTP::header Content-Length]
} else {
set clength 1048576
}
if { $clength > 0} {
HTTP::collect $clength
}
}
}
when HTTP_REQUEST_DATA {
Check if the collected payload matches the pattern
if {[HTTP::payload] matches_glob $static::pattern} {
log local0.alert "Microsoft Security Advisory (2659883)\
IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"
Drop the request
drop
}
}Aaron