For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sigkill_9__8483's avatar
Sigkill_9__8483
Icon for Nimbostratus rankNimbostratus
Apr 08, 2013

Mime Type Content Detection

Is there a way in 10+ to detect a files mime type based on the files content? File extensions can be changed so that is an unreliable solution. Thanks in advance.  
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 08, 2013
Hi,

 

 

BIG-IP ASM can block binary executables in 11.1+ using the magic number of the file.

 

 

https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-1-0.html

 

Detect File Upload Contents

 

ASM can now detect and block users from uploading binary executable content in a parameter’s value.

 

The default for this option is ON for newly created "File Upload" parameters, and this option is OFF for upgraded and imported security policies from previous versions. To change the configuration of this option, navigate to the Parameter Properties screen, set Parameter Value Type to User-input value and Data Type to File Upload, and then enable or disable the Disallow File Upload of Executables setting.

 

The User-input parameter Data Type that was called Binary (Length checks only) is renamed to File Upload.

 

We added a violation, Disallowed File Upload Content Detected that is generated when the system detects a file upload of an executable. From this violation’s learning screen you can allow file uploads of executables for each parameter the system detected.

 

 

Info on magic numbers for executable detection:

 

http://en.wikipedia.org/wiki/Magic_number_%28programming%29

 

http://catb.org/jargon/html/M/magic-number.html

 

 

You could potentially implement something similar in iRules but it would be complex and costly in terms of CPU/RAM resources.

 

 

Aaron