Forum Discussion
jonathan_239725
Nimbostratus
NimbostratusDetect regexp pattern in tcp payload
I was hoping someone could help me out on the proper syntax and approach to using either matches_regex or regexp to match a string pattern in a tcp payload. Basically I am trying to detect if within a payload there is a string comprised of 8-16 characters that can be either upper lower case or numeric, no spaces or returns. I have tried the following but have had no success:
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
set payload [TCP::payload]
if { [regexp {[a-zA-Z0-9] {8,16}} $payload] } {
log local0. "Got a match!"
}
}
My regex isn't strong so I don't know if that's where I'm messing up or if my syntax/approach to this iRule is wrong. I haven't found the matches_regex or regexp documentation to be all too helpful so hoping the dev community can help out!
Leonardo_AccorsCirrus
Hi, try this: if {$payload matches_regex {[\w]{8,16}}}
regards
Leonardo
- Kevin_Stewart
Employee
For anyone interested, the payload in this case was the server's response, which required SERVER_CONNECTED and SERVER_DATA events instead. The regex logic is otherwise sound.
jspiglerj2rsolvesThanks Kevin. Yes, the payload was in the response and I was trying to capture it from the client's request. Duhoh...
This is what i have now
when SERVER_CONNECTED {
TCP::collect}
when SERVER_DATA {
if { [regexp {[a-zA-Z0-9] {13,16}} [TCP::payload]] } { log local0. "Pattern detected" } TCP::release}
Something interesting though, maybe you guys could shed some light on this. If I dump my tcpdump to log, I see the HTTP header in plain text fine but none of the page content. I know theres going to be un readable binary information in there due to photos, but I thought I would see some of the page content.
