Class Isapi

Following table lists the possible sections of the class Isapi.

Section
Values
Notes
Class
Isapi
 
Id
4000 - 7999
 
level
0, 1, 2, 3, 4
 
time
*
 
user_name
user or system account
 
application
path + application name
 
url
 
This section is optional. It is section is matched against the url part of an incoming request; see notes 1, 2,3, 4.
query
 
This section is optional. It is matched against the query part of an incoming request; see notes 1, 2,3, 4.
method
“GET”, “POST”, “INDEX” and all other allowed http methods
This section is optional. See note 4.
directives -c -d
isapi:request
 

Note 1

An incoming http request can be represented as: http://www.myserver.com/ {url}?{query}. In this document, we refer to {url} as the “url” part of the http request and {query} as the “query” part of the http request. Using this naming convention, we can say that the section “url” will be matched against {url} and the section “query” will be matched against {query}.

For example the following rule would be triggered if the http request http:// www.myserver.com/search/abc.exe?subject=wildlife&environment=ocean would be received by IIS:

Rule {

Class Isapi

Id 4001

level 1

url { Include “*abc*” }

time { Include “*” }

application { Include “*”}

user_name { Include “*” }

directives -c -d isapi:request

}

This rule is triggered because {url}=/search/abc.exe, which matches the value of the section “url” (i.e. abc).

Note 2

Before matching is done, sections “url” and “query” are decoded and normalized so that requests cannot be filled with encoding or escape sequences.

Note 3

A maximum length restriction can be defined for the sections “url” and “query”. By adding “;number-of-chars” to the value of these sections, the rule can only match if the {url} or {query} have more characters than “number-of-chars”. For example, the following rule will match if the url part of the request contains “abc” and the url part of the request has over 500 characters:

Rule {

Class Isapi

Id 4001

level 1

url { Include “*abc*;500” }

time { Include “*” }

application { Include “*”}

user_name { Include “*” }

directives -c -d isapi:request}

}

Note 4

A rule needs to contain at least one of the optional sections url, query, method.

Copyright © 2006 McAfee, Inc. All Rights Reserved.