dariusz_19888
Aug 18, 2017Nimbostratus
IRULE - if { [HTTP::uri] matches_regex...
Hello, I try build irule which stop SQL Injection - I have some problem with using regex.
Negation [^value] - https://support.f5.com/csp/article/K5917
"/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i"
"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix"
"/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I"
"/((\%3C)|<)[^\n]+((\%3E)|>)/I"
This is example - How I schould build irule - if I would like optimalise checking of regex and reduce using of CPU?
when HTTP_REQUEST {
if { [HTTP::uri] matches_regex "/(\%27)|(\')|(\-\-)|(\%23)|()/ix" }
{ reject }
if { [HTTP::uri] matches_regex "/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix" }
{ reject }
if { [HTTP::uri] matches_regex "/((\%27)|(\'))union/ix" }
{ reject }
if { [HTTP::uri] matches_regex "/exec(\s|\+)+(s|x)p\w+/ix" }
{ reject }
if { [HTTP::uri] matches_regex "/((\%3D)|(=))*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i" }
{ reject }
if { [HTTP::uri] matches_regex "/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I " }
{ reject }
if { [HTTP::uri] matches_regex "/((\%3C)|<)[^\n]+((\%3E)|>)/I" }
{ reject }
if { [HTTP::uri] matches_regex "//((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix" }
{ reject }
}
BR Darek