For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wizdem_38762's avatar
Wizdem_38762
Icon for Nimbostratus rankNimbostratus
Dec 29, 2011

iRule to log for Microsoft Security Advisory (2659883) Vulnerability in ASP.NET Could Allow Denial of Service?

Hi,     Based on Microsoft's snort signature:     http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx       Ple...
application delivery
dev
devops
iRules
Beinhard_8950's avatar
Beinhard_8950
Icon for Nimbostratus rankNimbostratus
Jan 16, 2012
Is the best way to use class match.?

 

 

Below i did a simple that pretty much is that if the URi:s in the group Uri_Parameters_Allowed, skip checking

 

 

when HTTP_REQUEST {

 

 

Check if the query string contains more than 100 parameters

 

if { ![class match [HTTP::uri] equals "Uri_Parameters_Allowed"] } {

 

if { [llength [split [HTTP::query] &]] > 100 } {

 

log local0.alert "Microsoft Security Advisory (2659883)\

 

IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"

 

 

Drop the request

 

drop

 

return

 

}

 

......................

 

 

But if you want to be alittle bit more specific, so that 1 datagroup is allowed to have 2000 parameters and the rest <50 and so on.

 

 

 

/Beinhard