DamP_320463
Jun 16, 2017Nimbostratus
iRule dump files
Hi DevCentral Community,
I would like to know if it is possible to collect files that pass through F5 VIP (via HTTP POST) using an iRule that dumps the tcp payload.
Thanks.
D.
Hi DevCentral Community,
I would like to know if it is possible to collect files that pass through F5 VIP (via HTTP POST) using an iRule that dumps the tcp payload.
Thanks.
D.
Hi Yes you can use HTTP::collect
https://devcentral.f5.com/wiki/iRules.HTTP__collect.ashx
Beware - it's processor intensive.
Here is a variation on the sample in the link above where you could send the payload off to a logging server;-
when HTTP_REQUEST {
if {[HTTP::method] eq "POST"}{
Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
Send payload to logging server
if ![info exists hsl] {
set hsl [HSL::open -proto tcp -pool pl_syslog_servers]
}
HSL::send $hsl "[HTTP::payload]\n"
}
}
Thank your for your quick answer.
I tried to test this with a little modification but I am not seeing the file payload as you can see:
when HTTP_REQUEST_DATA {
set payload [HTTP::payload]
set hash [ sha256 [HTTP::payload]]
log local0. "HASH is $hash and PAYLOAD is $payload"
}
HASH is:
Q.ˆ¬õáì¾wñþà –œ(4u�L¹,R=ä ú
and PAYLOAD is ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000000 ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="from" 1 ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="dircor" ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="file"; filename="New Text Document.pdf" Content-Type: application/octet-stream ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ--
I would like to extract the file and check the hash, What I am missing?
Thanks!
OK we can do this :-)
The payload is there in the $payload variable, but 'log local0.' only logs about 500 bytes and then truncates.
We also need to know a few things - can you log the headers (log local0. "[HTTP::request]") so wecan see what's in there? Will get back to you tomorrow....