Re: [c-nsp] ACE Regex filtering for url match trouble with %
[EMAIL PROTECTED] wrote: FWIW I did manage to get this to match by telling it to match an ASCII space instead ie .*selectx20.* however this is more of a hack for my original request so I will still chase up with TAC. i haven't looked at the ACE source code / firmware, but it may well be that it does a first-pass of converting %(something) to a non-encoded value first (in this case, a ), because otherwise it would be trivial for a hacker to bypass said filter(s). you could see if regex .*select\s.* works too. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACE Regex filtering for url match trouble with %
Apologies but both my emails yesterday were via a webmail client that kept deleting special characters, including \'s I did get this to work by \'ing a rather than \'ing % So the string that worked for me was: .*select\ .* to achieve filtering of select%20 in a url. On a side note I still had to log a TAC as I have an unusual issue where if a ? is in the url before the match it will let the url slip through, however if it is after the match it will still catch it. Ie www.bla.com/test?=select%20.asp will make it through, www.bla.com/test=select%20bla?.asp will get caught. And on top of that there is reaaallly poor use of regexp memory when using a prefixed wildcard on your regex .*, it causes regexp memory to fill up with only 5 regex's and the 6th one will blow the 1MB regexp over the limit and start blocking everything, not ideal behaviour! Cheers Ben -Original Message- From: Lincoln Dale [mailto:[EMAIL PROTECTED] Sent: Monday, 25 August 2008 5:23 PM To: [EMAIL PROTECTED] Cc: Christian Koch; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ACE Regex filtering for url match trouble with % [EMAIL PROTECTED] wrote: FWIW I did manage to get this to match by telling it to match an ASCII space instead ie .*selectx20.* however this is more of a hack for my original request so I will still chase up with TAC. i haven't looked at the ACE source code / firmware, but it may well be that it does a first-pass of converting %(something) to a non-encoded value first (in this case, a ), because otherwise it would be trivial for a hacker to bypass said filter(s). you could see if regex .*select\s.* works too. cheers, lincoln. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] ACE Regex filtering for url match trouble with %
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi, Has anyone had any issues with filtering anything with a % sign in the url when trying to match for url filtering. Example: class-map type http inspect match-any SQL_FILTER 2 match url [EMAIL PROTECTED] 3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* The first string will match no problem, but the second one won't, i've tried all different methods of matching the % sign like 'ing it, putting it in [] etc. in theory the above should just work with something like http://www.bla.com/SELECT%20test.html [1] as it does with EXEC@ but it doesn't, anyone got any ideas or had similar issues, just want to check here before I raise a TAC. Cheers Ben Links: -- [1] http://www.bla.com/SELECT%20test.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACE Regex filtering for url match trouble with %
have you tried adding \ in front of the % character? On Sun, Aug 24, 2008 at 10:32 PM, [EMAIL PROTECTED] wrote: BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi, Has anyone had any issues with filtering anything with a % sign in the url when trying to match for url filtering. Example: class-map type http inspect match-any SQL_FILTER 2 match url [EMAIL PROTECTED] 3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* The first string will match no problem, but the second one won't, i've tried all different methods of matching the % sign like 'ing it, putting it in [] etc. in theory the above should just work with something like http://www.bla.com/SELECT%20test.html [1] as it does with EXEC@ but it doesn't, anyone got any ideas or had similar issues, just want to check here before I raise a TAC. Cheers Ben Links: -- [1] http://www.bla.com/SELECT%20test.html ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] ACE Regex filtering for url match trouble with %
BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Yes I have, I did mention that in my first post but this stupid webmail client removed it and just put 'ing instead of 'ing :) FWIW I did manage to get this to match by telling it to match an ASCII space instead ie .*selectx20.* however this is more of a hack for my original request so I will still chase up with TAC. Cheers On Mon 25/08/08 12:32 PM , Christian Koch [EMAIL PROTECTED] sent: have you tried addingin front of the % character? On Sun, Aug 24, 2008 at 10:32 PM, wrote: BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hi, Has anyone had any issues with filtering anything with a % sign in the url when trying to match for url filtering. Example: class-map type http inspect match-any SQL_FILTER 2 match url [EMAIL PROTECTED] 3 match url .[Ss][Ee][Ll][Ee][Cc][Tt]%20.* The first string will match no problem, but the second one won't, i've tried all different methods of matching the % sign like 'ing it, putting it in [] etc. in theory the above should just work with something like http://www.bla.com/SELECT%20test.html [2] [1] as it does with EXEC@ but it doesn't, anyone got any ideas or had similar issues, just want to check here before I raise a TAC. Cheers Ben Links: -- [1] http://www.bla.com/SELECT%20test.html [3] ___ cisco-nsp mailing list https://puck.nether.net/mailman/listinfo/cisco-nsp [5] archive at http://puck.nether.net/pipermail/cisco-nsp/ [6] Links: -- [2] https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html [3] https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fwww.bla.com%2FSELECT%2520test.html [5] https://webmail.internode.on.net/parse.php?redirect=https%3A%2F%2Fpuck.nether.net%2Fmailman%2Flistinfo%2Fcisco-nsp [6] https://webmail.internode.on.net/parse.php?redirect=http%3A%2F%2Fpuck.nether.net%2Fpipermail%2Fcisco-nsp%2F ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/