match regex in payload

Question

iam trying to write a rule to search for a regex for any URL in HTTP::payload, this is what i am using:&nbsp;
when HTTP_REQUEST_DATA {
if { [HTTP::payload] matches_regex {[(https?|ftp):\/\/..]} }
{
HTTP::respond 403
}
}&nbsp;
But looks like this rule is matching anything in the payload whether URL or not.
Any ideas would help.&nbsp;

pete_71470 · Answer

The [] pair in a regex matches any single character inside the brackets.  So in your example a match is found if the payload contains (, h, t, p, s, etc.  Try omitting the square brackets:
[HTTP::payload] matches_regex { (https?|ftp):\/\/.. }

jamesdris · Answer

I am also trying to allow some URLs but block all other URLs in the payload, i think datagroup is not possible as regex can't be used in a datagroup. 
Is there anyother way to achieve this?&nbsp;

Forum Discussion

match regex in payload

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Regex issue

Regex for dynamic URI

Large payload post requests aren't responding

HTTP Payload Collection

F5 Distributed Cloud - Service Policy - Header Matching Logic & Processing