Forum Discussion
Beinhard_8950
Jan 16, 2012Nimbostratus
Is the best way to use class match.? equals "Uri_Parameters_Allowed"] } {
Below i did a simple that pretty much is that if the URi:s in the group Uri_Parameters_Allowed, skip checking
when HTTP_REQUEST {
Check if the query string contains more than 100 parameters
if { ![class match [HTTP::uri]
if { [llength [split [HTTP::query] &]] > 100 } {
log local0.alert "Microsoft Security Advisory (2659883)\
IP Address [IP::client_addr]:[TCP::client_port] requested [HTTP::uri]"
Drop the request
drop
return
}
......................
But if you want to be alittle bit more specific, so that 1 datagroup is allowed to have 2000 parameters and the rest <50 and so on.
/Beinhard