Forum Discussion

Wizdem_38762's avatar
Wizdem_38762
Icon for Nimbostratus rankNimbostratus
Dec 29, 2011

iRule to log for Microsoft Security Advisory (2659883) Vulnerability in ASP.NET Could Allow Denial of Service?

Hi,

 

 

Based on Microsoft's snort signature:

 

 

http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx

 

 

 

Please comment on or verify the following iRule:

 

 

This irule checks for HTTP POST, that contains "application/x-www-form-urlencoded"

 

Then it collects the HTTP payload data and tries to matches it with Microsoft's snort signature

 

Logs the local.alert , client IP and Port and HTTP uri

 

 

when HTTP_REQUEST {

 

 

if { [HTTP::method] equals "POST" }{

 

set clength 0

 

if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] 0 && [HTTP::header Content-Type] contains "application/x-www-form-urlencoded"}{

 

set clength [HTTP::header Content-Length] }

 

else {

 

set clength 1048576

 

}

 

if { [info exists clength] && $clength > 0} { HTTP::collect $clength }

 

}

 

}

 

 

when HTTP_REQUEST_DATA {

 

 

if {[HTTP::payload] matches_regex "/(\w*(&|=)){1000,}/smi"} {

 

log local0.alert "Microsoft Security Advisory (2659883) IP Address [IP::client_addr]:[TCP::client_port] \ requested [HTTP::uri]" }

 

 

}

 

 

Thanks,

 

Peter

 

  • Hi Beinhard,

     

     

    That looks about right. You might want to check only the path instead of the full URI in the Uri_Parameters_Allowed data group.

     

     

    Aaron