Forum Discussion
AaronJB
SIRT
I think the problem is you've enclosed the expression operators with brackets () rather than braces {}, this should work:
when HTTP_REQUEST {
if {
{
[HTTP::header value "User-Agent"] contains "Mozilla"
|| [HTTP::header value "User-Agent"] contains "Opera"
}
&& [string tolower [HTTP::uri]] matches_regex {restservicestest}
&& { not [HTTP::cookie names] contains ".test" }
} then {
reject
log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked"
}
}
Eric_Weiss_2486
Feb 23, 2016Nimbostratus
Hello Aaron, many thanks for your suggestion. This worked better, although the HTTP::cookie names doesn't seem to be matching on contains '.fb'. In the following example, I'm wondering if there's a way to check for '.fb' inside any cookie?
when HTTP_REQUEST {
if {
[HTTP::header value "User-Agent"] contains "Mozilla"
|| [HTTP::header value "User-Agent"] contains "Opera"
&& { not [HTTP::cookie names] contains ".fb" }
&& [string tolower [HTTP::uri]] matches_regex {restservicesintstest}
} then {
reject
log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI=[HTTP::uri]"
log local0. "No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked"
}
}
Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : Client browser trying to connect to REST Host:fb1restservicesintstest.fb; URI=/communication/notifications/isAlive
Feb 23 09:21:52 lb01 info tmm1[15541]: Rule /Common/SecAuthREST-IntS-Test : No SSO Cookie Detected, Client IP:10.0.22.218 has been blocked