NimbostratusDEAR ALL
I want to use irules to filter the KEYWword “select” in a oracle TNS query packet. Here is the irules, but it does not operate .After use the Irule in VirtualServer, I still can use “select” to query the SQL. Can anyone help me ? thanks
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if { [TCP::payload 200] contains "select" } { reject }
TCP::release }
MVPHi Luojichen,
you provided iRule inspects just the first TCP-Datagram of a TCP-Session. In addition to that it would just blocks "select" but not "SELECT" nor "SeLeCt". You may try the iRule below to inspect the entire TCP-Session and to negate the CASE of the SQL statements.
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
if { [string tolower [TCP::payload 200]] contains "select" } then {
reject
}
TCP::release
TCP::collect
}
Note: Include some log statements as recommended by Josiah. It would help you to see whats going on on the wire.
Cheers, Kai
When you simply say
TCP::collectTCP::payloadTCP::payload 200TCP::collect 200If you are absolutely certain that the select keyword will occur within the first 200 bytes:
when CLIENT_ACCEPTED {
TCP::collect 200
}
when CLIENT_DATA {
if { [TCP::payload 200] contains "select" } {
log local0. "Found select keyword..."
reject
}
else {
log local0. "Did not find select keyword..."
}
TCP::release
}
The logging is there just for troubleshooting. Keep in mind, as well, that the
contains
Nimbostratus
EmployeeWhen you simply say
TCP::collectTCP::payloadTCP::payload 200TCP::collect 200If you are absolutely certain that the select keyword will occur within the first 200 bytes:
when CLIENT_ACCEPTED {
TCP::collect 200
}
when CLIENT_DATA {
if { [TCP::payload 200] contains "select" } {
log local0. "Found select keyword..."
reject
}
else {
log local0. "Did not find select keyword..."
}
TCP::release
}
The logging is there just for troubleshooting. Keep in mind, as well, that the
containsHi Luojichen,
If the HEX stream of wireshark contains readable SQL statements then [TCP::payload] could match the content. For further troubleshooting I would recommend to use the following code...
when CLIENT_ACCEPTED {
if { not ([IP::client_addr] contains 1.1.1.1) } then { return }
TCP::collect
}
when CLIENT_DATA {
log local0.debug "TSN Data: [TCP::payload]"
if { [string tolower [TCP::payload]] contains "select" } then {
log local0.debug "Request is a \"select\" statement."
reject
}
TCP::release
TCP::collect
}Note: Change the 1.1.1.1 to reflect the IP of your Client PC running the SQL query.
Cheers, Kai
MVPHi Luojichen,
I don't have experiences with Oracle SQL. But its very unlikely that you can interupt a TCP-Session midstream and then forward just a single TCP-Segment (containing a specific query) to a different pool/member.
I strongly believe it is required to capture the initial client authentication packet exchange and then replay those packets for every Oracle pool reselection, to initially authenticate the backend TCP connection (aka. establishing the TCP session based authentication) and to finaly be able to forward the given SQL query over the "now" trusted connection.
Note: The outlined TCP-session based authentication bahavior is as least valid for MSSQL, MYSQL and LDAP databases to increase the performance of keep-alive connections. If Oracle wouldn't do that too, then it would be required to authenticate each single SQL-Query which would in turn degrate the overall performance to a great extent.
Cheers, Kai