Jason,
Not sure if you're monitoring this, but the following seems like a solution without using regex:
when HTTP_REQUEST {
if { [HTTP::header exists "Range"] } {
set tot_ranges [llength [split [HTTP::header "Range"], ","]]
if { $tot_ranges >= 40 } {
log local0. " Range attack CVE-2011-3192 detected from [IP::client_addr] on Host [HTTP::host]. [llength [split [HTTP::header "Range"], ","]] ranges requested."
HTTP::header remove Range
drop
}
return
}
}
Seems to provide the same results on my LTM VE. Not sure what the performance benefit looks like.
James Denton
james.denton@rackspace.com