For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jamesdris's avatar
jamesdris
Icon for Nimbostratus rankNimbostratus
Nov 24, 2015

match regex in payload

iam trying to write a rule to search for a regex for any URL in HTTP::payload, this is what i am using:

 

when HTTP_REQUEST_DATA { if { [HTTP::payload] matches_regex {[(https?|ftp):\/\/..]} } { HTTP::respond 403 } }

 

But looks like this rule is matching anything in the payload whether URL or not. Any ideas would help.

 

application delivery
BIG-IP
iRules

2 Replies

  • pete_71470's avatar
    pete_71470
    Icon for Cirrostratus rankCirrostratus
    Nov 24, 2015

    The [] pair in a regex matches any single character inside the brackets. So in your example a match is found if the payload contains (, h, t, p, s, etc. Try omitting the square brackets:

    [HTTP::payload] matches_regex { (https?|ftp):\/\/.. }
  • jamesdris's avatar
    jamesdris
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2015

    I am also trying to allow some URLs but block all other URLs in the payload, i think datagroup is not possible as regex can't be used in a datagroup. Is there anyother way to achieve this?