Forum Discussion
AaronJB
SIRT
I think the problem is you've enclosed the expression operators with brackets () rather than braces {}, this should work:
when HTTP_REQUEST {
if {
{
[HTTP::header value "User-Agent"] contains "Mozilla"
|| [HTTP::header value "User-Agent"] contains "Opera"
}
&& [string tolower [HTTP::uri]] matches_regex {restservicestest}
&& { not [HTTP::cookie names] contains ".test" }
} then {
reject
log local0. "Client browser trying to connect to REST Host:[HTTP::host]; URI = [HTTP::uri] No SSO Cookie Detected, Client IP:[IP::client_addr] has been blocked"
}
}
Eric_Weiss_2486
Feb 23, 2016Nimbostratus
I'm not seeing a way to check the contents of all cookies for '.fb'. I suspect that the reason { not [HTTP::cookie names] contains ".fb" } isn't working is that Windows desktop obscures the cookie names. If you view cookie files in Internet Explorer options, it shows all the cookie names ending in .fb. When I look locally on the filesystem, under Windows temp, I'm seeing all of those renamed cryptically, with .txt on the end. Due to that, I need to check the contents of cookies themselves for .fb