Can you restrict a file type to a URL in ASM?

Hi Wire,

 

 

Here are a couple of (untested) options I can think of:

 

 

1. Create an attack signature that matches the URI and blocks anything that starts with /images/ that doesn't end with your list of static file types. Here's a regex which matches the patterns you want to allow:

 

 

^/images/.*\.(jpg|gif|css)$

 

 

So if you can negate this, it should work to block anything that doesn't start with /images/ and end with a static file type:

 

 

 

http://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_config_10/asm_apx_attack_sig_syntax.html

 

 

Using the not character (!) with keyword and pcre rule options

 

You can use the optional not character (!) before the keyword and pcre rule options. This specifies that the rule is only matched if the specified option is not matched. Refer to Syntax for attack signature rules, for more details on the use of this modifier.

 

 

 

2. Create another HTTP class which matches on URIs starting with /images/. In that new policy, only define the static filetypes you want to allow.

 

 

Aaron

Actually, the regex for 1 will block everything else that's not in images. I need to work on that a bit :). The concept is that you want to build a regex which matches a string starting with /images/ that does not end with a static filetype. Once you figure that out, you can create an attack signature which is applied to URIs. I'll try to test this more to get it working. Else, if you figure it out, please reply back.

 

 

Thanks, Aaron

Another (untested) option is to create wildcard objects for these types and restrict based on the illegal object violation.

 

Use /images/*.jpg and /images/*.gif and have then have wildcards /*.jpg and /*.gif (ordered after the /images/ ones) so that it disallows all characters causing any other match to fail.

 

 

Thanks,

 

Tom.