Forum Discussion

abhinay's avatar
abhinay
Icon for Nimbostratus rankNimbostratus
Dec 21, 2022

Request for providing help on setting up an iRule

Hi All, Can you please let me know how can I accomplish the below requirement with an iRule. Any requests that use any method and have "cs.exe" or "llisapi.dll" in the URI and also have a query str...
  • mihaic's avatar
    Dec 22, 2022

    abhinay  please share how you test in postman. 
    I've tried and it works if the POST body is raw type and looks like this : fInArgs=%3D%23
    This is what rules I am using:

    when HTTP_REQUEST { 
    if { ([class match [HTTP::uri] contains example_uri_1]) and ( [HTTP::query] contains "%3D%23") }{
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
    log local0. "deny URI: [HTTP::uri] query:[HTTP::query]"
    }
    if {[HTTP::method] eq "POST"}{
    # Trigger collection for up to 1MB of data
    if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
    set content_length [HTTP::header "Content-Length"]
    } else {
    set content_length 1048576
    }
    # Check if $content_length is not set to 0
    if { $content_length > 0} {
    HTTP::collect $content_length
    }
    }
    }
    when HTTP_REQUEST_DATA {

    if { [HTTP::method] equals "POST" }{
    # Extract the entire HTTP request body and escape it to become a HTTP::uri string (for easier parsings)
    set http_request_body "?[HTTP::payload]"
    log local0. "http payload: $http_request_body"
    # Try to parse type value from the HTTP request body.
    if { [URI::query $http_request_body fInArgs] equals "%3D%23" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
    } }
    }

    if you use application/x-www-form-urlencoded you will have to match this "%253D%2523"

    if { [URI::query $http_request_body fInArgs] equals "%253D%2523" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
    }

    or use URI::decode :

    if { [URI::decode [URI::query $http_request_body fInArgs]] equals "%3D%23" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
    }

     and if it is a form-data:

    set varB [findstr [HTTP::payload] "fInArgs"]
    if { $varB contains "%3D%23" } {
    HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache
    }

     

  • CA_Valli's avatar
    CA_Valli
    Dec 27, 2022

    I noticed from other comments in this thread that variable name is fInArgs with an uppercase "i".

    Variable name in my code has a lowercase "L" -- I must have read that wrong before. If you just copy/pasted and didn't fix it, it might not match because of this. 

    Otherwise, I'd expect it to work -- it does in my lab.