How to block all HTTP GET requests except for one specific request?

st3fan · ‎08-23-2018

Hi everyone

I would like to create a custom IPS rule for a website which blocks all incoming HTTP GET requests and only allows one specific request. For example, www.site.com/string should be allowed but all other GET requests should be blocked.

Can this be accomplished using IPS rules? I would appreciate your feedback.

Thank you.

Regards

Stefan

st3fan · ‎08-29-2018

Any ideas?

Thanks,

Stefan

emnoc · ‎08-29-2018

Yes you can do that but why ? Can you control the request at the server? Do you have a internal ServerLoadBalancer ?

Take a look at this example, which uses SMTP. The cfg would be the same ideal, but the protocol HTTP and obviously the pattern.

http://socpuppet.blogspot.com/2014/07/example-fo-smpauth-protection-fortigate.html

So something like this might work but find the custom IPS syntax for the fortios version that's in use and review any specifics for HTTP. I don't know how to negate a string tho but try the below for a test and then you would have to play around

F-SBID( --name \"dropithttp\"; --attack_id 1555; --rev1.0; --protocol tcp; ‑‑pattern "www.example.com/string"; ‑‑service HTTP; --no_case; ‑‑flow from_client; )

Please report back if you had success? You would need to set the rule to "drop" for this work for any other strings and that is what I would not know how todo.

ken

PCNSE

NSE

StrongSwan

How to block all HTTP GET requests except for one specific request?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website