Forum Discussion
abhinay
Nimbostratus
NimbostratusRequest for providing help on setting up an iRule
Hi All, Can you please let me know how can I accomplish the below requirement with an iRule. Any requests that use any method and have "cs.exe" or "llisapi.dll" in the URI and also have a query str...
abhinay please share how you test in postman.
I've tried and it works if the POST body is raw type and looks like this : fInArgs=%3D%23
This is what rules I am using:when HTTP_REQUEST {
if { ([class match [HTTP::uri] contains example_uri_1]) and ( [HTTP::query] contains "%3D%23") }{
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
log local0. "deny URI: [HTTP::uri] query:[HTTP::query]"
}
if {[HTTP::method] eq "POST"}{
# Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
# Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
if { [HTTP::method] equals "POST" }{
# Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings)
set http_request_body "?[HTTP::payload]"
log local0. "http payload: $http_request_body"
# Try to parse type value from the HTTP request body.
if { [URI::query $http_request_body fInArgs] equals "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
} }
}if you use application/x-www-form-urlencoded you will have to match this "%253D%2523"
if { [URI::query $http_request_body fInArgs] equals "%253D%2523" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}or use URI::decode :
if { [URI::decode [URI::query $http_request_body fInArgs]] equals "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}and if it is a form-data:
set varB [findstr [HTTP::payload] "fInArgs"]
if { $varB contains "%3D%23" } {
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}I noticed from other comments in this thread that variable name is fInArgs with an uppercase "i".
Variable name in my code has a lowercase "L" -- I must have read that wrong before. If you just copy/pasted and didn't fix it, it might not match because of this.
Otherwise, I'd expect it to work -- it does in my lab.
mihaic
MVP
MVPMohamed_Ahmed_Kansoh is right, we need to remove "string tolower" part.
I only tested that the syntax is ok. The functionality, no. Did not have time yet.
Here is the irule with the variable also:(not functional tested):
ltm data-group internal example_uri_1 {
records {
cs.exe { }
llisapi.dll { }
}
type string
}
when HTTP_REQUEST {
if { ([matchclass [string tolower [HTTP::uri]] contains example_uri_1]) and ( [HTTP::query] contains "%3D%23") }{
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}
}
when HTTP_REQUEST_DATA {
if { [HTTP::method] equals "POST" }{
# Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings)
set http_request_body "?[HTTP::payload [HTTP::header value "Content-Length"]]"
# Try to parse type value from the HTTP request body.
if { [URI::decode [URI::query $request_body fInArgs]] equals "%3D%23" } {
log local0. "fInArgs : $fInArgs"
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}
}
}
abhinayNimbostratus
Nimbostratusmihaic, URI along with query that contains "%3D%23" combination is working but the below payload with the body that contains %3D%23 doesnt seem to work. As we are decoding the query I tried "=#" too but no luck.
Any suggestions would be appreaciated
when HTTP_REQUEST_DATA {
if { [HTTP::method] equals "POST" }{
# Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings)
set http_request_body "?[HTTP::payload [HTTP::header value "Content-Length"]]"
# Try to parse type value from the HTTP request body.
if { [URI::decode [URI::query $request_body fInArgs]] equals "%3D%23" } {
log local0. "fInArgs : $fInArgs"
HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
}
}
}
CA_ValliI'm noticing this code is missing an HTTP::collect statement, so HTTP_REQUEST_DATA event will never be fired.
abhinay Have you checked my other response yet?- abhinay
hi CA_Valli, I did check your response and tried to implement it but was getting syntax errors. I think a } bracket and ] bracket were missing. Added it but still getting the error. I will have to check the syntax once.
Also there are 2 requirements.
1. URI contains cs.exe or llisapi.dll in the URI and query contains "%3D%23" - This is working
2. Request body value "fInArgs" which contains "%3D%23" - This is not working
Do you have any suggestions please.?