DamP_320463
Nimbostratus
NimbostratusiRule dump files
Hi DevCentral Community,
I would like to know if it is possible to collect files that pass through F5 VIP (via HTTP POST) using an iRule that dumps the tcp payload.
Thanks.
D.
Forum Discussion
3 Replies
IheartF5_45022Nacreous
Hi Yes you can use HTTP::collect
https://devcentral.f5.com/wiki/iRules.HTTP__collect.ashx
Beware - it's processor intensive.
Here is a variation on the sample in the link above where you could send the payload off to a logging server;-
when HTTP_REQUEST { if {[HTTP::method] eq "POST"}{ Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Send payload to logging server if ![info exists hsl] { set hsl [HSL::open -proto tcp -pool pl_syslog_servers] } HSL::send $hsl "[HTTP::payload]\n" } }
DamP_320463Thank your for your quick answer.
I tried to test this with a little modification but I am not seeing the file payload as you can see:
when HTTP_REQUEST_DATA { set payload [HTTP::payload] set hash [ sha256 [HTTP::payload]] log local0. "HASH is $hash and PAYLOAD is $payload" }HASH is:
Q.ˆ¬õáì¾wñþà –œ(4u�L¹,R=ä ú
and PAYLOAD is ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000000 ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="from" 1 ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="dircor" ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="file"; filename="New Text Document.pdf" Content-Type: application/octet-stream ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ--
I would like to extract the file and check the hash, What I am missing?
Thanks!
- IheartF5_45022
OK we can do this :-)
The payload is there in the $payload variable, but 'log local0.' only logs about 500 bytes and then truncates.
We also need to know a few things - can you log the headers (log local0. "[HTTP::request]") so wecan see what's in there? Will get back to you tomorrow....