Forum Discussion
AaronJB
Feb 23, 2016SIRT
I think the problem is you've enclosed the expression operators with brackets () rather than braces {}, this should work:
when HTTP_REQUEST {
if {
{
[HTTP::header value "User-Agent"] contains "Mozilla"
|| [HTTP::header value "User-Agent"] contains "Opera"
}
&& [string tolower [HTTP::uri]] matches_regex {restservicestest}
&& { not [HTTP::cookie names] contains ".test" }
} then {
reject
log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked"
}
}
- Eric_Weiss_2486Feb 23, 2016NimbostratusHello Aaron, many thanks for your suggestion. This worked better, although the HTTP::cookie names doesn't seem to be matching on contains '.fb'. In the following example, I'm wondering if there's a way to check for '.fb' inside any cookie? when HTTP_REQUEST { if { [HTTP::header value "User-Agent"] contains "Mozilla" || [HTTP::header value "User-Agent"] contains "Opera" && { not [HTTP::cookie names] contains ".fb" } && [string tolower [HTTP::uri]] matches_regex {restservicesintstest} } then { reject log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI=[HTTP::uri]" log local0. "No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked" } } Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : Client browser trying to connect to REST Host:fb1restservicesintstest.fb; URI=/communication/notifications/isAlive Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : No SSO Cookie Detected, Client IP:10.0.22.218 has been blocked
- Eric_Weiss_2486Feb 23, 2016NimbostratusI'm not seeing a way to check the contents of all cookies for '.fb'. I suspect that the reason { not [HTTP::cookie names] contains ".fb" } isn't working is that Windows desktop obscures the cookie names. If you view cookie files in Internet Explorer options, it shows all the cookie names ending in .fb. When I look locally on the filesystem, under Windows temp, I'm seeing all of those renamed cryptically, with .txt on the end. Due to that, I need to check the contents of cookies themselves for .fb