Error in L7 at Mikrotik
Solving the problem , revealed the strange behavior of L7 in Mikrotik. When explicitly specified in a regular expression, the case of characters is ignored, even if the characters in the regular expression are in bytes.
')
We set the task (the task is specially invented to demonstrate the error).
Block the following URL: http://chelaxe.ru/Summary/
As you can see in the URL there is an uppercase letter: S.
To do this, use Layer7 in MikroTik ʻe , which can gut packages. It collects the first 10 packets or 2kb from the connection and searches for the necessary data in them by the regular expression.
Everything is configured as follows:
Now you need to make the correct regular expression ( POSIX ). At first, I just tried to do this:
but it didn't work out for me, then I took Wireshark and looked at the packets:
As you can see, the GET line in the package is separate from the Host line and the GET line goes earlier:
We remake the regular expression:
Checking:
I used regex101.com for checking and creating regular expressions. Thanks to 0dmin for the article Regular expressions parsing .
Add everything to MikroTik and go to http://chelaxe.ru/Summary/
The result: DOES NOT WORK
Fix regular expression on:
Result: WORKS, but blocks both http://chelaxe.ru/Summary/ and http://chelaxe.ru/summary/ (specially created two pages that depend on the letter S)
I tried to do differently:
This is a string in bytes, string / Summary /
The result: DOES NOT WORK
Change the byte \ x53 to \ x73 (S by s):
The result: WORKS, but blocks both http://chelaxe.ru/Summary/ and http://chelaxe.ru/summary/
It turns out the package leaves me with a string in uppercase and comes to the server in the same way (the site parses in uppercase or lowercase), the regular expression is correct, but doesn’t return anything when searching for a string in uppercase, in lower case, returns both options (both upper and lower).
Conclusion: It is impossible to use L7 in MicroTik to determine case-sensitive information in the package.
UPD: I used version v5.26 (the last one in the 5th branch), and in branch 6 this bug was fixed:
Checked in version v6.3 everything works as it should. So this feature has a place to be, only in the 5th branch of RouterOS
Reflections: I looked at how providers from the registry are blocked by providers: when changing the case in the GET path, the page is still blocked.
If a website that has such a page blocked will create a page with the same URL only in upper case and will require it to be unblocked due to the fact that it does not contain anything forbidden, then the registry URL will also be unblocked.
')
We set the task (the task is specially invented to demonstrate the error).
Block the following URL: http://chelaxe.ru/Summary/
As you can see in the URL there is an uppercase letter: S.
To do this, use Layer7 in MikroTik ʻe , which can gut packages. It collects the first 10 packets or 2kb from the connection and searches for the necessary data in them by the regular expression.
Everything is configured as follows:
/ip firewall layer7-protocol add name=lock regexp=^.*(\/Summary\/).*(chelaxe\.ru).*$/ip firewall filter add action=drop chain=forward disabled=no dst-port=80 layer7-protocol=lock protocol=tcp src-address=192.168.0.0/24Through winbox
Now you need to make the correct regular expression ( POSIX ). At first, I just tried to do this:
^.*(chelaxe\.ru\/Summary\/).*$but it didn't work out for me, then I took Wireshark and looked at the packets:
As you can see, the GET line in the package is separate from the Host line and the GET line goes earlier:
GET /Summary/ HTTP/1.1Host: chelaxe.ruWe remake the regular expression:
^.*(\/Summary\/).*(chelaxe\.ru).*$Checking:
I used regex101.com for checking and creating regular expressions. Thanks to 0dmin for the article Regular expressions parsing .
Add everything to MikroTik and go to http://chelaxe.ru/Summary/
The result: DOES NOT WORK
Fix regular expression on:
^.*(\/summary\/).*(chelaxe\.ru).*$Result: WORKS, but blocks both http://chelaxe.ru/Summary/ and http://chelaxe.ru/summary/ (specially created two pages that depend on the letter S)
I tried to do differently:
^.*(\x2f\x53\x75\x6d\x6d\x61\x72\x79\x2f).*$This is a string in bytes, string / Summary /
The result: DOES NOT WORK
Change the byte \ x53 to \ x73 (S by s):
^.*(\x2f\x73\x75\x6d\x6d\x61\x72\x79\x2f).*$The result: WORKS, but blocks both http://chelaxe.ru/Summary/ and http://chelaxe.ru/summary/
It turns out the package leaves me with a string in uppercase and comes to the server in the same way (the site parses in uppercase or lowercase), the regular expression is correct, but doesn’t return anything when searching for a string in uppercase, in lower case, returns both options (both upper and lower).
Conclusion: It is impossible to use L7 in MicroTik to determine case-sensitive information in the package.
UPD: I used version v5.26 (the last one in the 5th branch), and in branch 6 this bug was fixed:
What's new in 6.0rc12 (2013-Mar-26 17:18):
*) fixed layer7 matcher - it is case insensitive now;
Checked in version v6.3 everything works as it should. So this feature has a place to be, only in the 5th branch of RouterOS
Reflections: I looked at how providers from the registry are blocked by providers: when changing the case in the GET path, the page is still blocked.
at TTC:
If a website that has such a page blocked will create a page with the same URL only in upper case and will require it to be unblocked due to the fact that it does not contain anything forbidden, then the registry URL will also be unblocked.
Source: https://habr.com/ru/post/193118/
All Articles