HTTP::payload

Hi,

 

 

I'm trying to write a rule that can route traffic to a pool based on a binary string that is within the first 10 bytes of the HTTP payload. It would also be useful to log the content of any payload that didn't contain the expected string.

 

 

My question is this: is it possible to find binary/hex strings in HTTP::payload, and if so, how? I would like to find the hex strings 81 00 and 81 FF and route accordingly, but my impression is that HTTP::payload has already been converted to ascii (which is rendering the key bytes as weird and wonderful characters or question marks).

 

 

The real code is a bit more complicated, but essentially what I've tried to do is something like (and this is from memory as I'm not actually logged in at the moment, so there may be a few semantic errors):

 

 

when HTTP_RESPONSE {

 

log local0. "Traffic received"

 

HTTP::collect 10

 

}

 

when HTTP_RESPONSE_DATA {

 

set initialbytes [HTTP::payload]

 

if { $initialbytes contains "8100" } {

 

use pool left

 

}

 

elseif { $initialbytes contains "81FF" } {

 

use pool right

 

}

 

else {

 

log local0. "Payload miss: [HTTP::payload]"

 

}

 

}

 

 

Obviously, the 'contains' statements are wrong as this is looking for ascii strings, but I'm not clear on how to make the switch to hex (have tried via URI::decode and base64, but to no avail). Also, the Payload miss output tends to be a bit unpredictable, as the special characters end up printing things all over the place!

 

 

Anyone able to cast some light in my general direction?

 

 

Podge