Irule with regex filtering migrate from netscaler

Question

Hi,&nbsp;
On Netscaler migration I come to a rule that could not solve. &nbsp;
On netscaler responder rules there is a drop rule related with this regexp line. I wonder how can i write this on f5 irule. &nbsp;
Netscaler Rule
HTTP.REQ.URL.PATH_AND_QUERY.AFTER_REGEX(re/\?/).BEFORE_REGEX(re/:/).REGEX_MATCH(re/(action$|redirect$|redirectAction$)/)&nbsp;
Can anyone help me to write this as F5 irule. &nbsp;
Thanks friends.&nbsp;

maximillean_953 · Answer

api drop rce

when HTTP_REQUEST {
    if {
      ([HTTP::query] starts_with "action:") ||
      ([HTTP::query] starts_with "redirect:") ||
      ([HTTP::query] starts_with "redirectAction:") 
      } then {
reject
    }
  }

I try this one but it does not work.

vitaliy_savrans · Answer

Hi,
you can try to use this one (log is optional):
when HTTP_REQUEST {
if {[HTTP::uri] contains "action"  or [HTTP::uri] contains "redirect" or [HTTP::uri] contains "redirectAction"} {
log local0. "Query string of URI is [HTTP::uri]"
reject
}
}

maximillean_953 · Answer

No we are not looking for contains. Cause. It can pass first quest with redirect1: but can not be redirect: or redirect: word can pass later of the url. &nbsp;
I wrote a polict with starts_with and all solved for now.&nbsp;

kevin_stewart · Answer

If you break it down like this:
HTTP.
    REQ.
        URL.
            PATH_AND_QUERY.
                AFTER_REGEX(re/\?/).
                BEFORE_REGEX(re/:/).
                REGEX_MATCH(re/(action$|redirect$|redirectAction$)/)

And based on this reference:
http://support.citrix.com/proddocs/topic/netscaler-policy-configuration-93-map/ns-regex-operations-con.html
I think what it's basically saying is this:
Start with the full HTTP request URI (path, query string, and all)From that, return the string that is after the question mark (?)From that, return the string that is before the colon (:)And if the resulting string ends with ($) "action", or "redirect", or "redirectAction", then drop the request.
So then the resulting iRule might look like this:
when HTTP_REQUEST {
    if { [regexp -all {(action|redirectaction|redirect)} [string tolower [findstr [HTTP::uri] "?" 1 ":"]]] &gt; 0 } {
        drop
    }
}

Or, if you wanted to avoid the regex:
when HTTP_REQUEST {
    if { ( [string tolower [findstr [HTTP::uri] "?" 1 ":"]] ends_with "action" ) or ( [string tolower [findstr [HTTP::uri] "?" 1 ":"]] ends_with "redirect" ) or ( [string tolower [findstr [HTTP::uri] "?" 1 ":"]] ends_with "redirectaction" ) } {
        drop
    }        
}

Or:
when HTTP_REQUEST {
    switch -glob [string tolower [findstr [HTTP::uri] "?" 1 ":"]] {
        "*action" -
        "*redirect" -
        "*redirectaction" {
            drop
        }
        default {
            return
        }
    }
}

maximillean_953 · Answer

Thanks alot. Perfectly worked. I solved it with writing policy rather then i rule. Now i am going to remove policy i wrote and apply this irule. &nbsp;
be well and take care Kevin.&nbsp;

Forum Discussion

Irule with regex filtering migrate from netscaler

Recent Discussions

APM webtop customization header message

Installing a PKCS 12 File onto an F5 Device

Irule to allow specific IPs

Uploading SKCS 12 File to F5 Device

F5 not Identifying Parameter in Text/Plain Upload

Related Content

Help with Migrating Netscaler Rewrite Policy to F5 LTM

VMware to Red Hat OpenShift Virtualization Migration

Citrix Netscaler to F5 BIG-IP

Getting Started with BIG-IP Next: Migrating an Application Workload

F5 Distributed Cloud Customer Edge Migration Centos to RHEL