Don't Allow a URL containing an MS-DOS device name
Hi!
I would like to use our AX1030 and aFlex to make sure that "Microsoft ASP.NET MS-DOS Device Name DoS"-requests get a 404.5 response
"Microsoft ASP.NET MS-DOS Device Name DoS"-request have one of the following as a sequence in the URL:
AUX
CON
PRN
NUL
COM1
LPT1
LPT2
LPT3
COM2
COM3
COM4
Any suggested way to solve this in a scalable way?
Thanks!
I would like to use our AX1030 and aFlex to make sure that "Microsoft ASP.NET MS-DOS Device Name DoS"-requests get a 404.5 response
"Microsoft ASP.NET MS-DOS Device Name DoS"-request have one of the following as a sequence in the URL:
AUX
CON
PRN
NUL
COM1
LPT1
LPT2
LPT3
COM2
COM3
COM4
Any suggested way to solve this in a scalable way?
Thanks!
0
Comments
Just create a class list containing all patterns:
!
class-list msdosdn string
str AUX
str CON
str PRN
str NUL
str COM1
str LPT1
...
!
Then you can match url against your class list using aflex:
when HTTP_REQUEST {
if {[CLASS::match [HTTP::uri] contains msdosdn]} {
HTTP::respond 404 content "Your request was blocked"
}
}
Class list matching is far more efficient than regex matching and allows updating classlist on the go without traffic impact.
Regards
My final script ended up like this:
when RULE_INIT {
set ::DEBUG 0
set ::CLASSLIST "msdosdn"
}
when HTTP_REQUEST {
set URI [string tolower [HTTP::uri]]
if { [CLASS::match $URI contains $::CLASSLIST value] != ""} {
HTTP::respond 404 content "Your request was blocked"
if { $::DEBUG == 1 } { log "[HTTP::host] found match in URI: $URI" }
}
}