Forum Discussion
Vernon_97235
Mar 01, 2016Historic F5 Account
When you simply say
TCP::collect
you are more-or-less instructing BIG-IP to collect one segment into the TCP::payload
buffer before firing the CLIENT_DATA event. When you subsequently say TCP::payload 200
, that means return the payload buffer up to 200 bytes. If the first segment contains fewer than 200 bytes, it'll return whatever the segment length is. On the other hand, if you say TCP::collect 200
, the BIG-IP will attempt to collect segments until it reaches 200 bytes (though it may exceed that amount if segment boundaries don't align that way, and it may have less data if the connection terminates before 200 bytes are received).
If you are absolutely certain that the select keyword will occur within the first 200 bytes:
when CLIENT_ACCEPTED {
TCP::collect 200
}
when CLIENT_DATA {
if { [TCP::payload 200] contains "select" } {
log local0. "Found select keyword..."
reject
}
else {
log local0. "Did not find select keyword..."
}
TCP::release
}
The logging is there just for troubleshooting. Keep in mind, as well, that the
contains
operator will only match if the word is ASCII (or UTF-8, because the codepoints are in the ASCII range) encoded.- luojichen_22420Mar 02, 2016NimbostratusThankyou very much! Maybe it is ASCII。 I can filter it use Wireshark filter < tcp contains ” select“ > HOW can I filter it in irules ?