Forum Discussion

Nimbostratus

Nov 21, 2016

Detect regexp pattern in tcp payload

I was hoping someone could help me out on the proper syntax and approach to using either matches_regex or regexp to match a string pattern in a tcp payload. Basically I am trying to detect if within...

Nimbostratus

Nov 22, 2016

Thanks Kevin. Yes, the payload was in the response and I was trying to capture it from the client's request. Duhoh...

This is what i have now

when SERVER_CONNECTED {

TCP::collect

}

when SERVER_DATA {

if { [regexp {[a-zA-Z0-9] {13,16}} [TCP::payload]] } {
    log local0. "Pattern detected"

}

TCP::release

}

Something interesting though, maybe you guys could shed some light on this. If I dump my tcpdump to log, I see the HTTP header in plain text fine but none of the page content. I know theres going to be un readable binary information in there due to photos, but I thought I would see some of the page content.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Detect regexp pattern in tcp payload

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Community at F5 - Evolving Patterns and New Structures

Multi-Cluster, Multi-Cloud Networking for K8S with F5 Distributed Cloud – Architecture Pattern

JA4 Part 2: Detecting and Mitigating Based on Dynamic JA4 Reputation

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

The Three HTTP Routing Patterns You Should Know

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS