Forum Discussion
Wizdem_38762
Dec 29, 2011Nimbostratus
iRule to log for Microsoft Security Advisory (2659883) Vulnerability in ASP.NET Could Allow Denial of Service?
Hi,
Based on Microsoft's snort signature:
http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx
Please comment on or verify the following iRule:
This irule checks for HTTP POST, that contains "application/x-www-form-urlencoded"
Then it collects the HTTP payload data and tries to matches it with Microsoft's snort signature
Logs the local.alert , client IP and Port and HTTP uri
when HTTP_REQUEST {
if { [HTTP::method] equals "POST" }{
set clength 0
if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] 0 && [HTTP::header Content-Type] contains "application/x-www-form-urlencoded"}{
set clength [HTTP::header Content-Length] }
else {
set clength 1048576
}
if { [info exists clength] && $clength > 0} { HTTP::collect $clength }
}
}
when HTTP_REQUEST_DATA {
if {[HTTP::payload] matches_regex "/(\w*(&|=)){1000,}/smi"} {
log local0.alert "Microsoft Security Advisory (2659883) IP Address [IP::client_addr]:[TCP::client_port] \ requested [HTTP::uri]" }
}
Thanks,
Peter
- hooleylistCirrostratusHi Beinhard,
- Simon_Kowallik1Historic F5 AccountHi, I wrote a more advanced protection iRule for Hash collision based DoS attacks through HTTP POSTs. Take a look if you can't limit your HTTP POSTs for your Web Applications.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects