Forum Discussion
F5Hopper_28651
Nimbostratus
NimbostratusRegex in iRule
Im making a rule to catch bad code being in HTTP POST.
for some reason we have some sites trying to do some sort of XSS attack, but posting URL strings in the POST and then they get a 500error. Im trying to right a rule but cant get it sorted out.
when RULE_INIT {
set ::vDebug 1
}
when HTTP_REQUEST {
if { [HTTP::query] matches_regex {<[a-zA-Z!]} } {
if { $::vDebug } {
log local0. "Triggered by IP [IP::client_addr] with URI [HTTP::uri]"
}
reject
}
}
Not sure if Im even in the right ballpark on this one, I just want to catch in HTTP POST, not every connection.
Please see below for possible samples:
"
"
"
Thanks
Mohamed_LrhaziAltocumulus
If you're asking how do I detect POST, then the answer is: https://devcentral.f5.com/wiki/iRules.http__method.ashx
See Sample Code links bellow for examples.
Thanks,
Mohamed.- Kevin_Stewart
Employee
Here's a rough example:when HTTP_REQUEST { if { [HTTP::method] equals "POST" } { log local0. "query = [URI::decode [HTTP::query]]" if { [string match -nocase {*<[a-zA-Z!]*} [URI::decode [HTTP::query]]] } { log local0. "Gotcha!" reject } } }
In the above example I'm URI decoding the HTTP query in POST requests, which will catch URI encoding of the < character. 
F5Hopper_28651ok thanks, I will check that out and post if that worked.- F5Hopper_28651
I just noticed that my samples didnt show in my main post. Im looking for samples in attached TXT file.
Kevin, I tryied your rule, I changed the log to, log local0. "Gotcha![IP::client_addr] with URI [HTTP::uri]"
Im not sure if its working or not... I get these in my log for EVENT
Rule test-regex : query = Step=2
Rule test-regex : query =
Rule test-regex : query = Step=4
Rule test-regex : query = Step=3
No gotcha! or client_addr. what do you make of that? 
Brian_69413Your session is probably still tied to the old version of the iRule- Kevin_StewartYour queries don't appear to have any of the characters you're looking for. How are you testing/posting?
- F5Hopper_28651I had my DEV guys generate the Regex.... I dont know it at all... I do know that the website gets hit every 5-10min with bad HTTP POSTs that start with my samples.
- Kevin_StewartI'm specifically asking how you're testing the iRule. You wouldn't be able to just send a greater-than sign in the URI without encoding it, and the "Step" examples don't contain any greater-than signs.
In case you're just waiting for external requests with bad data, you can test locally with cURL:
curl -v http://www.example.com?test=%3cscript%3e -d "test=1234" - F5Hopper_28651I was really just waiting on the bad traffic to hit me and see what comes up.
