mattrm
Post Count: 11
 |
| 07/27/2010 06:29 PM |
|
Hi All,
I'm trying to reference TCP client data and look for userid and timestamp and log these values, I also need to log which LB Select.
I have the first part, (i think), but what do I do to find those values in client data and the log those values.
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if { [TCP::payload] contains "userid=", "timestamp=" } {
}
} |
|
|
|
|
Hamish
Post Count: 1145
|
| 07/29/2010 03:50 AM |
|
That's probably almost right if you're doing the searching yourself. Except you'll need to consider boundary conditions as well. For example the "userid=" string may be split across the border of the TCP data payload that you've gathered.
Perhaps an easier way would be to use stream processing. Setup a stream that looks for the patterns you're interested in, and trigger on the STREAM_MATCHED event. In there you can pull and log the values. (You can either define the stream in a profile, and attach it, or define the stream you're looking for at run time the way the ProxyPass iRule does... In fact for a good example of stream processing see the ProxyPass iRule).
H
|
|
|
|
|
mattrm
Post Count: 11
|
| 07/29/2010 08:23 AM |
|
Interesting, never thought of using stream profile for that. What is the default logging mechanism for stream? As the entire purpose of the iRule is to log the values out of the payload, (being userid and timestamp as well as lb selected), if I can do that effectively via stream, far easier for me then an irule.
M |
|
|
|
|
mattrm
Post Count: 11
|
| 08/01/2010 04:42 PM |
|
Okay - So I've created the stream profile, with the following source values: userid= password= timestamp=
Then the irule which triggers on stream match:
when STREAM_MATCHED {
# Log each match found by the stream filter
log local0. "Stream filter matched: [STREAM::match]"
}
Thoughts? |
|
|
|
|
mattrm
Post Count: 11
|
| 08/05/2010 02:54 PM |
|
I have the stream profile matching as per my irule, however it is not returning the match value, rather it's telling me its matched and "when STREAM_MATCHED priority 32768000 " I was expecting the match value to be the userid value?? Any help would be greatly appreciated.
M
|
|
|
|
|
mattrm
Post Count: 11
|
| 08/05/2010 03:43 PM |
|
I now have the stream match working with @ However its base64 encoded, is there a way to decode this?
M |
|
|
|
|
mattrm
Post Count: 11
|
| 08/10/2010 02:09 PM |
|
Got this working with regex, however probably not the best way going forward. I'd like to use findstr or matchstr instead, but having some teething issues around that.
when STREAM_MATCHED {
# log each match found by the stream filter
log local0. "Stream filter matched:[STREAM::match]"
set myvar [STREAM::match]
set 4 "blah"
regexp {Username=(.+)\sUserpassword=(.+)\sUseremail=(.+)\sUserhomefolder=(.+)\s} $myvar matched sub1 sub2 sub3
log local0. "Username=[b64decode $sub1] Userpassword=[b64decode $sub2] Usermail=[b64decode $sub3]"
}
when LB_SELECTED {
set serverIP [LB::server addr]
log local0. "LB Server IP $serverIP"
} |
|
|
|
|
Colin Walker
Post Count: 2310
|
| 08/11/2010 02:56 PM |
|
You should definitely check out the scan command as well for doing some complex matching. It's highly efficient and should be able to get done what you're looking to do. Not exactly intuitive, though.  Click HereIf you run into problems don't hesitate to ask. #Colin |
|
| With iRules you can... |
|
|
mattrm
Post Count: 11
|
| 08/22/2010 02:21 PM |
|
Thanks for that Colin, having a look at it now. I have another question for you :-), I'm trying to match a null value in stream and replace with a value that will cause the login to fail,
@Userpassword="null"@Userpassword="000" I'm trying to make sure that I only match and replace on null password values and not any valid password, however a blank field and a null value doesnt seem to work. M |
|
|
|
|
Colin Walker
Post Count: 2310
|
| 08/25/2010 03:08 PM |
|
Interesting. Are you having trouble matching the null value or replacing it? If you're having trouble matching it then you'd want to do a dump or log and inspect what's actually being passed. It's like userpassword="" or something. That'll help you know what to tweak in your regex.
#Colin |
|
| With iRules you can... |
|
|
mattrm
Post Count: 11
|
| 08/25/2010 03:42 PM |
|
Hi Colin, Trying to match the null value in however this didnt match. My question is can Stream match a null value? M |
|
|
|
|
Colin Walker
Post Count: 2310
|
| 08/25/2010 04:08 PM |
|
Have you tried the simple version?
@Userpassword=" "@Userpassword="000" I assume so...but had to ask.  That's how I'd try it first. #Colin |
|
| With iRules you can... |
|
|
mattrm
Post Count: 11
|
| 08/31/2010 04:00 PM |
|
Hi Colin,
Yeah tried that, I've attached the tcpdump and highlighted the values I want to match and also replace when null. Any advice would be greatly appreciated.
When using the stream value, I'm matching the name in the tcpdump.
M |
 tcpdump.txt
|
|
|
|
mattrm
Post Count: 11
|
| 09/01/2010 03:24 PM |
|
Currently I'm matching the value however I'm rewriting actual passwords as well as null or empty ones. Sigh :-) M |
|
|
|
|
mattrm
Post Count: 11
|
| 12/06/2010 06:00 PM |
|
Hi Just an update to the iRule, below is the working version:
Using the following stream profile:
@Username.*Userpassword=\n@@
when STREAM_MATCHED { # log each match found by the stream filter scan [STREAM::match] "Username=%s" user log local0. "Username [b64decode $user] had password
replaced" STREAM::replace "Username=$user\nUserpassword=0000=\n" } when LB_SELECTED { set serverIP [LB::server addr] log local0. "LB Server IP $serverIP" }
Matt |
|
|
|
|
Colin Walker
Post Count: 2310
|
| 12/08/2010 01:16 PM |
|
Very cool, thanks for sharing!
#Colin |
|
| With iRules you can... |
|
|