Getting around Data Groups
Posted by mischa
IHAC that is looking to replace their current LBs with A10 and they are using Data Groups.
Code:
This is what we will need to use with aFleX in order to do something similar.
Code:
Source: Dimitri Desmidt
IHAC that is looking to replace their current LBs with A10 and they are using Data Groups.
Code:
class exampleClass {
"string1"
"string2"
"string3"
}
rule exampleRule {
when HTTP_REQUEST {
if {[matchclass [HTTP::uri] contains exampleClass]}{
log local0. "Using uri-match pool - [HTTP::uri]"
pool pool-uri-match
} else {
pool pool-no-uri-match
log local0. "No uri matched using no-uri-match pool - [HTTP::uri]"
}
}
}
This is what we will need to use with aFleX in order to do something similar.
Code:
when RULE_INIT {
# List of "part of URL" not authorized
set ::NOT_ALLOWED_REQUEST [list "/setup.php" "/w00tw00t.at.ISC.SANS.DFind:"]
}
when HTTP_REQUEST {
# Convert the URI received to lowercase
set URI [string tolower [HTTP::uri]]
# Check if the request received is part if the blocked list
for {set x 0} {$x<[llength $::NOT_ALLOWED_REQUEST]} {incr x} {
if {[string first [string tolower [lindex $::NOT_ALLOWED_REQUEST $x]] $URI] != -1} {
# Request if part of the blocked list => reject request + log
log "Client [IP::client_addr] had its request dropped http://[HTTP::host][HTTP::uri]"
reject
#exit the loop
set x [llength $::NOT_ALLOWED_REQUEST]
}
}
}
Source: Dimitri Desmidt
0
Comments
Updated code:
Code:
when RULE_INIT { set ::NOT_ALLOWED_REQUEST [list "/setup.php" "/w00tw00t.at.isc.sans.dfind:"] } when HTTP_REQUEST { set URI [string tolower [HTTP::uri]] set SEARCH_INDEX [lsearch $::NOT_ALLOWED_REQUEST $URI] if { $SEARCH_INDEX != -1 } { log "Client [IP::client_addr] had its request dropped http://[HTTP::host][HTTP::uri]" reject } }