For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

maximillean_953's avatar
maximillean_953
Icon for Nimbostratus rankNimbostratus
Jul 08, 2014

Irule with regex filtering migrate from netscaler

Hi,

 

On Netscaler migration I come to a rule that could not solve.

 

On netscaler responder rules there is a drop rule related with this regexp line. I wonder how can i write this on f5 irule.

 

Netscaler Rule HTTP.REQ.URL.PATH_AND_QUERY.AFTER_REGEX(re/\?/).BEFORE_REGEX(re/:/).REGEX_MATCH(re/(action$|redirect$|redirectAction$)/)

 

Can anyone help me to write this as F5 irule.

 

Thanks friends.

 

application delivery
devops
irule
iRules
migration

5 Replies

  • maximillean_953's avatar
    maximillean_953
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2014
     api drop rce 

when HTTP_REQUEST {
    if {
      ([HTTP::query] starts_with "action:") ||
      ([HTTP::query] starts_with "redirect:") ||
      ([HTTP::query] starts_with "redirectAction:") 
      } then {
reject
    }
  }

    I try this one but it does not work.

  • Vitaliy_Savrans's avatar
    Vitaliy_Savrans
    Icon for Nacreous rankNacreous
    Jul 08, 2014

    Hi,

    you can try to use this one (log is optional):

    when HTTP_REQUEST {
if {[HTTP::uri] contains "action"  or [HTTP::uri] contains "redirect" or [HTTP::uri] contains "redirectAction"} {
log local0. "Query string of URI is [HTTP::uri]"
reject
}
}
  • maximillean_953's avatar
    maximillean_953
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2014

    No we are not looking for contains. Cause. It can pass first quest with redirect1: but can not be redirect: or redirect: word can pass later of the url.

     

    I wrote a polict with starts_with and all solved for now.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 08, 2014

    If you break it down like this:

    HTTP.
    REQ.
        URL.
            PATH_AND_QUERY.
                AFTER_REGEX(re/\?/).
                BEFORE_REGEX(re/:/).
                REGEX_MATCH(re/(action$|redirect$|redirectAction$)/)

    And based on this reference:

    http://support.citrix.com/proddocs/topic/netscaler-policy-configuration-93-map/ns-regex-operations-con.html

    I think what it's basically saying is this:

    1. Start with the full HTTP request URI (path, query string, and all)
    2. From that, return the string that is after the question mark (?)
    3. From that, return the string that is before the colon (:)
    4. And if the resulting string ends with ($) "action", or "redirect", or "redirectAction", then drop the request.

    So then the resulting iRule might look like this:

    when HTTP_REQUEST {
    if { [regexp -all {(action|redirectaction|redirect)} [string tolower [findstr [HTTP::uri] "?" 1 ":"]]] > 0 } {
        drop
    }
}

    Or, if you wanted to avoid the regex:

    when HTTP_REQUEST {
    if { ( [string tolower [findstr [HTTP::uri] "?" 1 ":"]] ends_with "action" ) or ( [string tolower [findstr [HTTP::uri] "?" 1 ":"]] ends_with "redirect" ) or ( [string tolower [findstr [HTTP::uri] "?" 1 ":"]] ends_with "redirectaction" ) } {
        drop
    }        
}

    Or:

    when HTTP_REQUEST {
    switch -glob [string tolower [findstr [HTTP::uri] "?" 1 ":"]] {
        "*action" -
        "*redirect" -
        "*redirectaction" {
            drop
        }
        default {
            return
        }
    }
}
  • maximillean_953's avatar
    maximillean_953
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2014

    Thanks alot. Perfectly worked. I solved it with writing policy rather then i rule. Now i am going to remove policy i wrote and apply this irule.

     

    be well and take care Kevin.