Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule to Filter Against bad URI's & Invalid Methods

Hello There

I would like to offer up to the forum an iRule that I created (read patched together) to help protect the webservers from certain hack attempts.

Even though I have methods to prevent these types of attacks at the webserver I wanted to offload the function (and logging) to the F5's as webservers have enough todo.

Using examples from this forum, I wanted it to be able to not only protect against flat like for like key words I wanted to protect against URI encoding and CaSe. So far I haven't managed to trick it,

So I thought it time to give it over to you guys for you guys to test it and let me know what you think.

If you think it could be improved re written etc then please say so

Best Regards

Gary

bigpipe class bad_uris { \"cmd.exe\" \"root.exe\" \"admin.dll\" }
bigpipe class valid_methods { \"GET\" \"POST\" }

when HTTP_REQUEST {
#log local0. "HTTP Method: [HTTP::method]"
#log local0. "HTTP Uri: [HTTP::uri]"
if { [matchclass [URI::decode [string tolower [HTTP::uri]]] contains $::bad_uris] } {
#log local0. "HTTP Uri is bad, discarding..."
discard
} elseif { not [matchclass [string toupper [HTTP::method]] equals $::valid_methods] } {
#log local0. "HTTP Method not found in valid_methods list, rejecting..."
reject
} else {
#log local0. "HTTP method found in valid_method list
}
}

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Looking good Gary!

Thanks for posting this back to the forums, it's great to see what people are doing, and how iRules and F5 are helping them do it.

If you want to share this with the community, the best place for it is over in the CodeShare in our new iRules Wiki: Click here

Just follow the instructions at the top of that page, and you should be all set.

Thanks again,
-Colin
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks for that, I have added it to the CodeShare area but I left spaces in the name and it now looks broken when listed in the code samples,

Sorry
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Thanks for the addition. I've corrected the topic name and am working on fixing the new topic sumbmissions to do this automatically.

-Joe
0