cancel
Showing results for 
Search instead for 
Did you mean: 
DBO
Level 9

URL Filter by expression with 6.8.7

Jump to solution

I am trying to filter URL with an imbedded «  /in.cgi?  » like /in.cgi?3&parameter=scarlett%20johansson%20filmography

I would think that a shell expression  «   /in.cgi\?   »  would do the job but it is not working.  Any idea?

0 Kudos
1 Solution

Accepted Solutions
dstraube
Level 11

Re: URL Filter by expression with 6.8.7

Jump to solution

Hello DBO,

this is a bit tricky. MWG extracts only the URL. The parameter part (which starts with the "?") is cut off and not used for the expression check.

The expression you need is: */in.cgi$

The $ marks the end and will make sure URLs like "/in.cgitest" are not blocked.

Regards,

Dirk

0 Kudos
3 Replies
dstraube
Level 11

Re: URL Filter by expression with 6.8.7

Jump to solution

Hello DBO,

this is a bit tricky. MWG extracts only the URL. The parameter part (which starts with the "?") is cut off and not used for the expression check.

The expression you need is: */in.cgi$

The $ marks the end and will make sure URLs like "/in.cgitest" are not blocked.

Regards,

Dirk

0 Kudos
DBO
Level 9

Re: URL Filter by expression with 6.8.7

Jump to solution

It explain the problem and it work.

Thank you

0 Kudos
DBO
Level 9

Re: URL Filter by expression with 6.8.7

Jump to solution

OK, This is usefull to block a link but, how can I block an argument?

We received an alert last week relating to the Black Hole kit use to inject malware and need to block specific pattern:

  • /in.cgi?   (ok it work now)
  • /tds/go.php?sid=23
  • \.php\?[a-z]{1,2}=[a-zA-Z0-9]{16}  (regex)
  • \.php\?f=[0-9]{1,2}&e=[0-9]{1,2} (regex)

We also blackList  the  .co.cc zone and 28 IP adresses

Any isea how we can proceed?

0 Kudos