[c-nsp] ACE Regex filtering for url match trouble with %

[Ben Steele]

Apologies but both my emails yesterday were via a webmail client that kept
deleting special characters, including \'s

I did get this to work by \'ing a " " rather than \'ing %

So the string that worked for me was: ".*select\ .*" to achieve filtering of
select%20 in a url.

On a side note I still had to log a TAC as I have an unusual issue where if
a "?" is in the url before the match it will let the url slip through,
however if it is after the match it will still catch it.

Ie www.bla.com/test?=select%20.asp will make it through,
www.bla.com/test=select%20bla?.asp will get caught.

And on top of that there is reaaaaaaallly poor use of regexp memory when
using a prefixed wildcard on your regex ".*", it causes regexp memory to
fill up with only 5 regex's and the 6th one will blow the 1MB regexp over
the limit and start blocking everything, not ideal behaviour!

Cheers

Ben

-----Original Message-----
From: Lincoln Dale [mailto:ltd at cisco.com] 
Sent: Monday, 25 August 2008 5:23 PM
To: ben.steele at internode.on.net
Cc: Christian Koch; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ACE Regex filtering for url match trouble with %

ben.steele at internode.on.net wrote:
>  FWIW I did manage to get this to match by telling it to match an
> ASCII space instead ie .*selectx20.* however this is more of a hack
> for my original request so I will still chase up with TAC. 
>   

i haven't looked at the ACE source code / firmware, but it may well be 
that it does a first-pass of converting "%(something)" to a non-encoded 
value first (in this case, a " "), because otherwise it would be trivial 
for a hacker to bypass said filter(s).

you could see if regex ".*select\s.*" works too.


cheers,

lincoln.