Forum Discussion

dariusz_19888's avatar
dariusz_19888
Icon for Nimbostratus rankNimbostratus
Aug 18, 2017

IRULE - if { [HTTP::uri] matches_regex...

Hello, I try build irule which stop SQL Injection - I have some problem with using regex.

Negation [^value] - https://support.f5.com/csp/article/K5917

"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i"

"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"

"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"
"/((\%3C)|<)[^\n]+((\%3E)|>)/I"

This is example - How I schould build irule - if I would like optimalise checking of regex and reduce using of CPU?
when HTTP_REQUEST {
if { [HTTP::uri] matches_regex "/(\%27)|(\')|(\-\-)|(\%23)|()/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/((\%27)|(\'))union/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/exec(\s|\+)+(s|x)p\w+/ix" }
   { reject }
if { [HTTP::uri] matches_regex "/((\%3D)|(=))*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i" }
   { reject }
if { [HTTP::uri] matches_regex "/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I " }
   { reject }
if { [HTTP::uri] matches_regex "/((\%3C)|<)[^\n]+((\%3E)|>)/I" }
   { reject }
if { [HTTP::uri] matches_regex "//((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix" }
   { reject }
}

BR Darek