Forum Discussion

Wizdem_38762's avatar
Wizdem_38762
Icon for Nimbostratus rankNimbostratus
Dec 29, 2011

iRule to log for Microsoft Security Advisory (2659883) Vulnerability in ASP.NET Could Allow Denial of Service?

Hi,     Based on Microsoft's snort signature:     http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx       Ple...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jan 08, 2012
Here's another update which checks the query string for more than X parameters: 

when HTTP_REQUEST {

 Check if the query string contains more than 100 parameters
if { [llength [split [HTTP::query] &]] > 100 } {
log local0.alert "Microsoft Security Advisory (2659883)\
IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"

 Drop the request
drop
return
}

 Collect up to 1Mb of POST data
if { [HTTP::method] equals "POST"}{ 
set clength 0
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576 }{ 
set clength [HTTP::header Content-Length]
} else { 
set clength 1048576 
}
if { $clength > 0} {
HTTP::collect $clength
} 
}
}

when HTTP_REQUEST_DATA {

 Check if the collected payload contains more than 100 parameters
if { [llength [split [HTTP::payload] &]] > 100 } {
log local0.alert "Microsoft Security Advisory (2659883)\
IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"

 Drop the request
drop
}
}

Aaron