Forum Discussion
NimbostratusNeed help with iRule to detect LOIC/HOIC client
Hi all, the latest rule I'm working on is supposed to detect a LOIC/HOIC client. The rule is supposed to look for the following in the uri query string (not case sensitive): 1) "msg" 2) "id" 3) random 6 character value
Here is what I have so far:
when HTTP_REQUEST {
if {([string tolower [HTTP::uri]] contains "id") and ([string tolower [HTTP::uri]] contains "msg") and ([string tolower [HTTP::uri]] matches_regex{[a-zA-Z0-9$-_.+!*'(),~:/?[]@&;=]})}
{
log local0. "Detected LOIC/HOIC client request based on query string."
reject
}
}
Would someone be able to take a look at the iRule and let me know what I need to change or what I have wrong please? I'm also having a problem with setting it to a 6 character value.
Thanks!
2 Replies
What_Lies_Bene1Cirrostratus
I'd reduce it to this;
when HTTP_REQUEST { set requri [string tolower [HTTP::query]] if { ($requri contains "id") && ($requri contains "msg") } { log local0. "Detected LOIC/HOIC client request based on query string." reject } }I'm not quite sure about the regex, is there any value in searching for a random six character value? Wouldn't any part of a valid query match? If so, where is it in the query string?
- Kevin_Stewart
Employee
You also mentioned in another post that you were cutting over to ASM and writing these iRules to emulate signatures in your current product. I would venture two things then:
-
While it may not be called "LOIC" in the ASM signature database, I'm certain that the effects of this exploit are detected.
-
It might make more sense to create custom ASM signatures instead of individual iRules.
-
