Forum Discussion

mcaballe_135435's avatar
mcaballe_135435
Icon for Nimbostratus rankNimbostratus
Jul 02, 2014

Is there a way to trigger an iRule twice?

Im attempting to clone request/response data and send it off to a pool for later analysis. I couldn't use the traditional cloning method so I used a sideband server.

 

I have two iRules:

 

The first iRule (A) sends request and response traffic to a sideband server. The second iRule (B) is associated with the sideband server and modifies the data coming in prior to sending it to the pool.

 

The flow is currently: Request comes in, triggers iRule (A), goes to sideband server, triggers iRule (B), goes to pool Response from production application comes in, triggers iRule (A), however it never goes to the sideband and i see no indication that it triggered iRule (B).

 

How can I get the production response traffic to also be sent to the sideband server and modified by the associated iRule (B)? I've tried creating a second sideband server with the same iRule (B), but to no success.

 

application delivery
deployment
devops
iRules
LTM

11 Replies

Sort By
Show More
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 08, 2014

    do i send the tcp traffic to the sideband the same way?

    You can, but be mindful of the format. An HTTP request is a combination of method/version/resource line, headers, and any payload. 

    GET /foo HTTP/1.1
Host: foo.example.com
Accept: */*

    An HTTP response is a combination of status/version line, headers, and any payload. 

    HTTP/1.1 200 OK
Date: some date
Server: Apache
Content-Type: text/html
Content-Length: 3600

Payload data

    A TCP packet that carries HTTP traffic will be a combination of TCP headers and TCP payload. The TCP payload will be the entire HTTP message (or likely some of it).

    TCP headers    
TCP payload:
GET /foo HTTP/1.1\r\nHost: foo.example.com\r\nAccept: */*\r\n\r\n

    If you dump the TCP::payload to syslog, you won't see the \r\n CRLF characters, but they're there. If the IDS needs the data in proper HTTP request or response format, you'll need to be careful not to destroy this existing formatting if editing the content.