Hi!
I would like to use our AX1030 and aFlex to make sure that “Microsoft ASP.NET MS-DOS Device Name DoS”-requests get a 404.5 response
“Microsoft ASP.NET MS-DOS Device Name DoS”-request have one of the following as a sequence in the URL:
AUX
CON
PRN
NUL
COM1
LPT1
LPT2
LPT3
COM2
COM3
COM4
Any suggested way to solve this in a scalable way?
Thanks!
Hi,
Just create a class list containing all patterns:
!
class-list msdosdn string
str AUX
str CON
str PRN
str NUL
str COM1
str LPT1
…
!
Then you can match url against your class list using aflex:
when HTTP\_REQUEST \{
if \{[CLASS::match [HTTP::uri] contains msdosdn]\} \{
HTTP::respond 404 content “Your request was blocked”
\}
\}
Class list matching is far more efficient than regex matching and allows updating classlist on the go without traffic impact.
Regards
Thanks!
My final script ended up like this:
when RULE_INIT {
set ::DEBUG 0
set ::CLASSLIST “msdosdn”
\}
when HTTP\_REQUEST \{
set URI [string tolower [HTTP::uri]]
if \{ [CLASS::match $URI contains $::CLASSLIST value] != ""\} \{
HTTP::respond 404 content “Your request was blocked”
if \{ $::DEBUG == 1 \} \{ log "[HTTP::host] found match in URI: $URI" \}
\}
\}