Forum Discussion

jonathan_239725's avatar
jonathan_239725
Icon for Nimbostratus rankNimbostratus
Nov 21, 2016

Detect regexp pattern in tcp payload

I was hoping someone could help me out on the proper syntax and approach to using either matches_regex or regexp to match a string pattern in a tcp payload. Basically I am trying to detect if within a payload there is a string comprised of 8-16 characters that can be either upper lower case or numeric, no spaces or returns. I have tried the following but have had no success:

when CLIENT_ACCEPTED {

TCP::collect

}

when CLIENT_DATA {

set payload [TCP::payload]

if { [regexp {[a-zA-Z0-9] {8,16}} $payload] } {

    log local0. "Got a match!"


}

}

My regex isn't strong so I don't know if that's where I'm messing up or if my syntax/approach to this iRule is wrong. I haven't found the matches_regex or regexp documentation to be all too helpful so hoping the dev community can help out!

application delivery
BIG-IP
iRules
matches_regex
regex
tcp payload

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 21, 2016

    For anyone interested, the payload in this case was the server's response, which required SERVER_CONNECTED and SERVER_DATA events instead. The regex logic is otherwise sound.

     

  • jspiglerj2rsolves's avatar
    jspiglerj2rsolves
    Icon for Nimbostratus rankNimbostratus
    Nov 22, 2016

    Thanks Kevin. Yes, the payload was in the response and I was trying to capture it from the client's request. Duhoh...

    This is what i have now

    when SERVER_CONNECTED {

    TCP::collect

    }

    when SERVER_DATA {

    if { [regexp {[a-zA-Z0-9] {13,16}} [TCP::payload]] } {
    log local0. "Pattern detected"

}

TCP::release

    }

    Something interesting though, maybe you guys could shed some light on this. If I dump my tcpdump to log, I see the HTTP header in plain text fine but none of the page content. I know theres going to be un readable binary information in there due to photos, but I thought I would see some of the page content.