Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Wizdem_38762's avatar
Wizdem_38762
Icon for Nimbostratus rankNimbostratus
14 years ago

iRule to log for Microsoft Security Advisory (2659883) Vulnerability in ASP.NET Could Allow Denial of Service?

Hi,     Based on Microsoft's snort signature:     http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx       Ple...
application delivery
dev
devops
irules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
14 years ago
I like that... I'm guessing it's more efficient and it's definitely more elegant. Also, I think most web apps don't normally use more than a 100 parameters for a single page. So basically you could do something like this: 

when HTTP_REQUEST {

 Collect up to 1Mb of POST data
if { [HTTP::method] equals "POST"}{ 
set clength 0
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576 }{ 
set clength [HTTP::header Content-Length]
} else { 
set clength 1048576 
}
if { $clength > 0} {
HTTP::collect $clength
} 
}
}

when HTTP_REQUEST_DATA {

 Check if the collected payload contains more than 100 parameters
if { [llength [split [HTTP::payload] &]] > 100 } {
log local0.alert "Microsoft Security Advisory (2659883)\
IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"

 Drop the request
drop
}
}

Aaron