Brian_Barnes_84
Nimbostratus
NimbostratusUsing ASN library with iRules
Hello,
I am new to using iRules. I was able to write a rule and test it with a command line tcl interperator. However I am not able to get it installed. I am wondering the correct way to call the ASN library. Here is what I have. I need to use the asn::asnGetSequence etc.
Here is my iRule
when SERVER_DATA {
Grab the current payload collected
set payload [TCP::payload]
set pdu $payload
For testing in command line mode. This is a sample data packet.
set pdu "\x30\x82\x03\x9f\x02\x01\x02\x64\x82\x03\x98\x04\x39\x63\x6e\x3d\x65\x63\x73\x55\x6e\x69\x78\x41\x64\x6d\x69\x6e\x73\x2c\x6f\x75\x3d\x47\x6c\x6f\x62\x61\x6c\x2c\x6f\x75\x3d\x55\x6e\x69\x78\x50\x72\x6f\x76\x2c\x6f\x75\x3d\x53\x45\x52\x56\x49\x43\x45\x53\x2c\x6f\x3d\x48\x43\x53\x43\x30\x82\x03\x59\x30\x82\x03\x55\x04\x09\x6d\x65\x6d\x62\x65\x72\x55\x69\x64\x31\x82\x03\x46\x04\x19\x63\x6e\x3d\x41\x32\x35\x38\x39\x38\x35\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x35\x39\x34\x30\x33\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x1a\x63\x6e\x3d\x41\x44\x4d\x32\x39\x39\x36\x35\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x46\x44\x32\x36\x31\x38\x38\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x33\x35\x31\x31\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x33\x37\x39\x38\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x34\x39\x33\x32\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x35\x38\x36\x34\x33\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x35\x39\x32\x37\x38\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x33\x38\x36\x30\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x55\x31\x33\x37\x34\x39\x38\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x34\x31\x38\x35\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x34\x36\x30\x34\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x34\x39\x39\x39\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x35\x36\x39\x35\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x32\x34\x35\x30\x43\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x39\x35\x32\x32\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x36\x32\x30\x35\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x38\x38\x34\x36\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x30\x37\x34\x33\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x36\x35\x30\x36\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x38\x37\x39\x38\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x36\x30\x38\x33\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x38\x38\x30\x31\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x34\x31\x30\x31\x43\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x37\x30\x34\x30\x37\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x37\x30\x35\x36\x39\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x37\x30\x36\x33\x38\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x36\x38\x39\x31\x37\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x49\x32\x37\x31\x33\x34\x36\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x04\x19\x63\x6e\x3d\x41\x32\x36\x33\x35\x39\x31\x2c\x6f\x75\x3d\x45\x4d\x50\x4c\x2c\x6f\x3d\x48\x43\x53\x43\x30\x0c\x02\x01\x02\x65\x07\x0a\x01\x00\x04\x00\x04\x00"
log local0. "Orig PDU ASCII: $pdu"
binary scan $pdu H*c hexPDU Lenth;
log local0. "Orig PDU Hex: $hexPDU"
The first byte is the tag signifying an BER message type, (sequence of constructed data)
Always is hex 30, if that is not so reject
binary scan $pdu H2c berT berLength
log local0. "BERT: $berT"
if { $berT ne "30" } {
TODO: verify exit command.
If not sequence, ignore. Check if this is the right command to exit the rule.
return
}
Strip the type and length from the pdu
asn::asnGetSequence pdu searchEntry
log local0. "Untagged searchEntry: $searchEntry"
Get the messageID.
asn::asnGetInteger searchEntry messageID
log local0. "My messageID: $messageID"
Check for search response; exit iRule if not reponse
asn::asnGetApplication searchEntry appNum
log local0. "appnum: $appNum"
if {$appNum == 4} {
Get the DN of the object being returned in the search.
asn::asnGetOctetString searchEntry matchedDN
log local0. "My matchedDN: $matchedDN"
If the object is not in the UnixProv container; exit iRule
if {[string match *$unixBase $matchedDN]} {
asn::asnGetSequence searchEntry attributes
log local0. "Sequence of all Attributes: $attributes"
loop through attributes, look for reformAttr, store attribute sequences in a list for re-assembly
list to hold our attributes.
set resultAttrs {}
while {[string length $attributes] != 0} {
asn::asnGetSequence attributes attr
log local0. "Attribute Sequence: $attr"
asn::asnGetOctetString attr searchAttrName
log local0. "My attr: $searchAttrName"
if we find the reformAttr loop through values and reformat packet
else we leave the packet alone
if {[string match $reformAttr $searchAttrName]} {
asn::asnGetSet attr searchVals
log local0. "my vals: $searchVals"
set cnVals {}
while { [string length $searchVals] != 0 } {
asn::asnGetOctetString searchVals value
log local0. "NextVal: $value"
log local0. "length: [string length $searchVals]"
regexp {[^cn=][a-zA-Z0-9]*} $value newValue
lappend cnVals [asn::asnOctetString $newValue]
}
set matchedAttr "1"
log local0. "New values: $cnVals"
set attr [asn::asnOctetString $searchAttrName][asn::asnSetFromList $cnVals]
}
put all the attrs in a list
log local0. "attr: $attr"
lappend resultAttrs [asn::asnSequence $attr]
}
end loop through attributes
if {$matchedAttr} {
If refromAttr was found, repackage the attributes in a sequence
set newSearchEntry [asn::asnInteger $messageID][asn::asnApplication $appNum [asn::asnOctetString $matchedDN][asn::asnSequenceFromList $resultAttrs]]
log local0. "New search entry sequence: $newSearchEntry"
} else {
If response does not contain the reformAttr, exit without modifying the results
TODO: verify exit command.
log local0. "reformAttr not found."
return
}
} else {
If response is not in UnixProv container, exit without modifying the results
TODO: verify exit command.
log local0. "Not in the UnixProv container"
return
}
} else {
If not a search response, exit without modifying the results
TODO: verify exit command.
log local0. "Not a search response."
return
}
if we made it all the way through (and have new data to package) put the packet back together and send it on its way.
if {$matchedAttr} {
add search result databack into pdu
set newData ""
append newData $newSearchEntry
append newData $pdu
log local0. "My new pdu minus tag: $newData"
pack the final PDU; ready to ship
set pduFinal [asn::asnSequence $newData]
log local0. "Final PDU: $pduFinal"
Set the payload
TODO: This might need some work.
set TCP::payload pduFinal
}
}
For the TCL command line interperator I used a couple lines at the top of the script to test the code:
package require Tcl 8.4
package require asn 0.8.3
namespace import ::asn::*
Thanks,
Brian
