subject:"\[c\-nsp\] ACE Regex filtering for url match trouble with %"

Re: [c-nsp] ACE Regex filtering for url match trouble with %

2008-08-25 Thread Lincoln Dale


[EMAIL PROTECTED] wrote:

 FWIW I did manage to get this to match by telling it to match an
ASCII space instead ie .*selectx20.* however this is more of a hack
for my original request so I will still chase up with TAC. 
  


i haven't looked at the ACE source code / firmware, but it may well be 
that it does a first-pass of converting %(something) to a non-encoded 
value first (in this case, a  ), because otherwise it would be trivial 
for a hacker to bypass said filter(s).


you could see if regex .*select\s.* works too.


cheers,

lincoln.

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACE Regex filtering for url match trouble with %

2008-08-25 Thread Ben Steele

Apologies but both my emails yesterday were via a webmail client that kept
deleting special characters, including \'s

I did get this to work by \'ing a   rather than \'ing %

So the string that worked for me was: .*select\ .* to achieve filtering of
select%20 in a url.

On a side note I still had to log a TAC as I have an unusual issue where if
a ? is in the url before the match it will let the url slip through,
however if it is after the match it will still catch it.

Ie www.bla.com/test?=select%20.asp will make it through,
www.bla.com/test=select%20bla?.asp will get caught.

And on top of that there is reaaallly poor use of regexp memory when
using a prefixed wildcard on your regex .*, it causes regexp memory to
fill up with only 5 regex's and the 6th one will blow the 1MB regexp over
the limit and start blocking everything, not ideal behaviour!

Cheers

Ben

-Original Message-
From: Lincoln Dale [mailto:[EMAIL PROTECTED] 
Sent: Monday, 25 August 2008 5:23 PM
To: [EMAIL PROTECTED]
Cc: Christian Koch; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] ACE Regex filtering for url match trouble with %

[EMAIL PROTECTED] wrote:
  FWIW I did manage to get this to match by telling it to match an
 ASCII space instead ie .*selectx20.* however this is more of a hack
 for my original request so I will still chase up with TAC. 
   

i haven't looked at the ACE source code / firmware, but it may well be 
that it does a first-pass of converting %(something) to a non-encoded 
value first (in this case, a  ), because otherwise it would be trivial 
for a hacker to bypass said filter(s).

you could see if regex .*select\s.* works too.


cheers,

lincoln.


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] ACE Regex filtering for url match trouble with %

2008-08-24 Thread ben . steele

 

  BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Hi, 

Has anyone had any issues with filtering anything with a % sign in
the url when trying to match for url filtering. 

Example: 

class-map type http inspect match-any SQL_FILTER
   2 match url [EMAIL PROTECTED]
   3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* 

The first string will match no problem, but the second one won't,
i've tried all different methods of matching the % sign like 'ing it,
putting it in [] etc. in theory the above should just work with
something like http://www.bla.com/SELECT%20test.html [1] as it does
with EXEC@ but it doesn't, anyone got any ideas or had similar issues,
just want to check here before I raise a TAC. 

Cheers 

Ben


Links:
--
[1] http://www.bla.com/SELECT%20test.html
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACE Regex filtering for url match trouble with %

2008-08-24 Thread Christian Koch

have you tried adding   \  in front of the  %  character?



On Sun, Aug 24, 2008 at 10:32 PM,  [EMAIL PROTECTED] wrote:


  BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
 Hi,

Has anyone had any issues with filtering anything with a % sign in
 the url when trying to match for url filtering.

Example:

class-map type http inspect match-any SQL_FILTER
   2 match url [EMAIL PROTECTED]
   3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.*

The first string will match no problem, but the second one won't,
 i've tried all different methods of matching the % sign like 'ing it,
 putting it in [] etc. in theory the above should just work with
 something like http://www.bla.com/SELECT%20test.html [1] as it does
 with EXEC@ but it doesn't, anyone got any ideas or had similar issues,
 just want to check here before I raise a TAC.

Cheers

Ben


 Links:
 --
 [1] http://www.bla.com/SELECT%20test.html
 ___
 cisco-nsp mailing list  cisco-nsp@puck.nether.net
 https://puck.nether.net/mailman/listinfo/cisco-nsp
 archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACE Regex filtering for url match trouble with %

2008-08-24 Thread ben . steele

 

  BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
Yes I have, I did mention that in my first post but this stupid
webmail client removed it and just put 'ing instead of 'ing :) 

FWIW I did manage to get this to match by telling it to match an
ASCII space instead ie .*selectx20.* however this is more of a hack
for my original request so I will still chase up with TAC. 

Cheers
 On Mon 25/08/08 12:32 PM , Christian Koch [EMAIL PROTECTED]
sent:
  have you tried addingin front of the  %  character? 
 On Sun, Aug 24, 2008 at 10:32 PM,  wrote: 
  
  
  BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } 
  Hi, 
  
  Has anyone had any issues with filtering anything with a % sign in

  the url when trying to match for url filtering. 
  
  Example: 
  
  class-map type http inspect match-any SQL_FILTER 
  2 match url [EMAIL PROTECTED] 
  3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* 
  
  The first string will match no problem, but the second one won't, 
  i've tried all different methods of matching the % sign like 'ing
it, 
  putting it in [] etc. in theory the above should just work with 
  something like http://www.bla.com/SELECT%20test.html [2] [1] as it
does 
  with EXEC@ but it doesn't, anyone got any ideas or had similar
issues, 
  just want to check here before I raise a TAC. 
  
  Cheers 
  
  Ben 
  
  
  Links: 
  -- 
  [1] http://www.bla.com/SELECT%20test.html [3] 
  ___ 
  cisco-nsp mailing list  
  https://puck.nether.net/mailman/listinfo/cisco-nsp [5] 
  archive at http://puck.nether.net/pipermail/cisco-nsp/ [6] 
  


Links:
--
[2]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html
[3]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html
[5]
https://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp
[6]
https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] ACE Regex filtering for url match trouble with %

Re: [c-nsp] ACE Regex filtering for url match trouble with %

[c-nsp] ACE Regex filtering for url match trouble with %

Re: [c-nsp] ACE Regex filtering for url match trouble with %

Re: [c-nsp] ACE Regex filtering for url match trouble with %

5 matches

Site Navigation

Mail list logo

Footer information