Hi everyone
I would like to create a custom IPS rule for a website which blocks all incoming HTTP GET requests and only allows one specific request. For example, www.site.com/string should be allowed but all other GET requests should be blocked.
Can this be accomplished using IPS rules? I would appreciate your feedback.
Thank you.
Regards
Stefan
Any ideas?
Thanks,
Stefan
Yes you can do that but why ? Can you control the request at the server? Do you have a internal ServerLoadBalancer ?
Take a look at this example, which uses SMTP. The cfg would be the same ideal, but the protocol HTTP and obviously the pattern.
http://socpuppet.blogspot.com/2014/07/example-fo-smpauth-protection-fortigate.html
So something like this might work but find the custom IPS syntax for the fortios version that's in use and review any specifics for HTTP. I don't know how to negate a string tho but try the below for a test and then you would have to play around
F-SBID( --name \"dropithttp\"; --attack_id 1555; --rev1.0; --protocol tcp; ‑‑pattern "www.example.com/string"; ‑‑service HTTP; --no_case; ‑‑flow from_client; )
Please report back if you had success? You would need to set the rule to "drop" for this work for any other strings and that is what I would not know how todo.
ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.