Forum Discussion

gerald_wegener_'s avatar
gerald_wegener_
Icon for Nimbostratus rankNimbostratus
Oct 03, 2006

Question about the posted SocialSecurity Scrubber

 

For the iRule you have posted for finding/scrubbing social security numbers is it necessary to calculate $ssn_len since it seems that based on the regexp the length would always be 11?

 

 

In the exerpt below would it be OK to eliminate the line:

 

 

-> set ssn_len [expr {[lindex $ssn_idx 1] - $ssn_start + 1}]

 

 

and replace $ssn_len with 11 in the payload replace line:

 

 

-> HTTP::payload replace $ssn_start 11 "xxx-xx-xxxx"

 

 

Are there cases where the $ssn_len would not be 11?

 

 

Thank You.

 

 

 

Exerpt from SSN scrubber:

 

 

when HTTP_RESPONSE_DATA {

 

Find the SSN numbers

 

set ssn_indices [regexp -all -inline -indices {\d{3}-\d{2}-\d{4}} [HTTP::payload]]

 

Scrub the SSN's from the response

 

foreach ssn_idx $ssn_indices {

 

set ssn_start [lindex $ssn_idx 0]

 

set ssn_len [expr {[lindex $ssn_idx 1] - $ssn_start + 1}]

 

HTTP::payload replace $ssn_start $ssn_len "xxx-xx-xxxx"

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Oct 03, 2006
    That code was lifted from the Credit Card Scrubber rule which has variable lengths. I don't see any problem in hard coding the length to 11 as that is the length of the regular expression string that is being matched.

     

     

    -Joe
  • gerald_wegener_'s avatar
    gerald_wegener_
    Icon for Nimbostratus rankNimbostratus
    Mar 20, 2007
    Hi,

     

     

    Regarding the posted Credit Card Scrubber iRule is there a work-around where connections do not need to be forced to HTTP1.0 due to chunking issues? Also in general we do not want to force to connections to HTTP1.0

     

     

    When the CC iRule is running with compression enabled we are running to problems (in our lab testing) - basically our tests fail. If I comment out the HTTP1.0 related lines in the iRule everything works OK, as follows:

     

     

    when HTTP_REQUEST {

     

    Don't allow data to be chunked

     

    if { [HTTP::version] eq "1.1" } {

     

    if { [HTTP::header is_keepalive] } {

     

    HTTP::header replace "Connection" "Keep-Alive"

     

    }

     

    HTTP::version "1.0"

     

    }

     

    }

     

    when HTTP_RESPONSE {

     

    Only check responses that are a text content type

     

    (text/html, text/xml, text/plain, etc).

     

    if { [HTTP::header "Content-Type"] equals "text/html" } {

     

    Get the content length so we can request the data to be

     

    processed in the HTTP_RESPONSE_DATA event.

     

    if { [HTTP::header exists "Content-Length"] } {

     

    set content_length [HTTP::header "Content-Length"]

     

    } else {

     

    set content_length 4294967295

     

    }

     

    if { $content_length > 0 } {

     

    HTTP::collect $content_length

     

    }

     

    }

     

    }

     

    when HTTP_RESPONSE_DATA {

     

    Find ALL the possible credit card numbers in one pass

     

    set card_indices [regexp -all -inline -indices {(?:3[4|7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]]

     

    foreach card_idx $card_indices {

     

    set card_start [lindex $card_idx 0]

     

    set card_end [lindex $card_idx 1]

     

    set card_len [expr {$card_end - $card_start + 1}]

     

    set card_number [string range [HTTP::payload] $card_start $card_end]

     

    set double [expr {$card_len & 1}]

     

    set chksum 0

     

    set isCard invalid

     

    Calculate MOD10

     

    for { set i 0 } { $i < $card_len } { incr i } {

     

    set c [string index $card_number $i]

     

    if {($i & 1) == $double} {

     

    if {[incr c $c] >= 10} {incr c -9}

     

    }

     

    incr chksum $c

     

    }

     

    Determine Card Type

     

    switch [string index $card_number 0] {

     

    3 { set type AmericanExpress }

     

    4 { set type Visa }

     

    5 { set type MasterCard }

     

    6 { set type Discover }

     

    default { set type Unknown }

     

    }

     

     

    If valid card number, then mask out numbers with X's

     

    if { ($chksum % 10) == 0 } {

     

    set isCard valid

     

    HTTP::payload replace $card_start $card_len [string repeat "X" $card_len]

     

    }

     

     

    Log Results

     

    log local0. "Found $isCard $type CC $card_number"

     

    }

     

    log local0. "ccn irule is running"

     

    }

     

     

    ===================================

     

     

    The problem may be related to this and/or other bugs but in general we would like to eliminate the need to force to HTTP1.0-

     

     

    SOL7207: Known Issue: When using compression in an HTTP profile, the BIG-IP LTM system may not properly close some HTTP/1.0 connections https://tech.f5.com/home/solutions/sol7207.html

     

     

    Thank You.