[c-nsp] ACE Regex filtering for url match trouble with %
Ben Steele
ben.steele at internode.on.net
Mon Aug 25 20:24:55 EDT 2008
Apologies but both my emails yesterday were via a webmail client that kept
deleting special characters, including \'s
I did get this to work by \'ing a " " rather than \'ing %
So the string that worked for me was: ".*select\ .*" to achieve filtering of
select%20 in a url.
On a side note I still had to log a TAC as I have an unusual issue where if
a "?" is in the url before the match it will let the url slip through,
however if it is after the match it will still catch it.
Ie www.bla.com/test?=select%20.asp will make it through,
www.bla.com/test=select%20bla?.asp will get caught.
And on top of that there is reaaaaaaallly poor use of regexp memory when
using a prefixed wildcard on your regex ".*", it causes regexp memory to
fill up with only 5 regex's and the 6th one will blow the 1MB regexp over
the limit and start blocking everything, not ideal behaviour!
Cheers
Ben
-----Original Message-----
From: Lincoln Dale [mailto:ltd at cisco.com]
Sent: Monday, 25 August 2008 5:23 PM
To: ben.steele at internode.on.net
Cc: Christian Koch; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ACE Regex filtering for url match trouble with %
ben.steele at internode.on.net wrote:
> FWIW I did manage to get this to match by telling it to match an
> ASCII space instead ie .*selectx20.* however this is more of a hack
> for my original request so I will still chase up with TAC.
>
i haven't looked at the ACE source code / firmware, but it may well be
that it does a first-pass of converting "%(something)" to a non-encoded
value first (in this case, a " "), because otherwise it would be trivial
for a hacker to bypass said filter(s).
you could see if regex ".*select\s.*" works too.
cheers,
lincoln.
More information about the cisco-nsp
mailing list