Forum Discussion
Bhargav_9588
Nimbostratus
Nimbostratusgetfield Parsing error
Hello,
I am trying to add an iRule to insert an http header value by stripping out domain from REMOTE_USER header. The following is the iRule I am trying to use:
when HTT...
Joel_MosesNimbostratus
NimbostratusYou could try this.
when RULE_INIT {
array set NTLMFlags {
unicode 0x00000001
oem 0x00000002
req_target 0x00000004
unknown1 0x00000008
sign 0x00000010
seal 0x00000020
datagram 0x00000040
lmkey 0x00000080
netware 0x00000100
ntlm 0x00000200
unknown2 0x00000400
unknown3 0x00000800
ntlm_domain 0x00001000
ntlm_server 0x00002000
ntlm_share 0x00004000
NTLM2 0x00008000
targetinfo 0x00800000
128bit 0x20000000
keyexch 0x40000000
56bit 0x80000000
}
}
when HTTP_REQUEST {
if { [HTTP::header Authorization] starts_with "NTLM " } {
set ntlm_msg [ b64decode [split [lindex [HTTP::header Authorization] 1] ] ]
binary scan $ntlm_msg a7ci protocol zero type
switch -exact -- $type {
3 {
binary scan $ntlm_msg @12ssissississississii \
lmlen lmlen2 lmoff \
ntlen ntlen2 ntoff \
dlen dlen2 doff \
ulen ulen2 uoff \
hlen hlen2 hoff \
slen slen2 soff \
flags
set ntlm_domain {}; binary scan $ntlm_msg @${doff}a${dlen} ntlm_domain
set ntlm_user {}; binary scan $ntlm_msg @${uoff}a${ulen} ntlm_user
set ntlm_host {}; binary scan $ntlm_msg @${hoff}a${hlen} ntlm_host
set unicode [expr {$flags & 0x00000001}]
if {$unicode} {
set ntlm_domain_convert ""
foreach i [ split $ntlm_domain ""] {
scan $i %c c
if {$c>1} {
append ntlm_domain_convert $i
} elseif {$c<128} {
set ntlm_domain_convert $ntlm_domain_convert
} else {
append ntlm_domain_convert \\u[format %04.4X $c]
}
}
set ntlm_domain $ntlm_domain_convert
set ntlm_user_convert ""
foreach i [ split $ntlm_user ""] {
scan $i %c c
if {$c>1} {
append ntlm_user_convert $i
} elseif {$c<128} {
set ntlm_user_convert $ntlm_user_convert
} else {
append ntlm_user_convert \\u[format %04.4X $c]
}
}
set ntlm_user $ntlm_user_convert
set ntlm_host_convert ""
foreach i [ split $ntlm_host ""] {
scan $i %c c
if {$c>1} {
append ntlm_host_convert $i
} elseif {$c<128} {
set ntlm_host_convert $ntlm_host_convert
} else {
append ntlm_host_convert \\u[format %04.4X $c]
}
}
set ntlm_host $ntlm_host_convert
}
binary scan $ntlm_msg @${ntoff}a${ntlen} ntdata
binary scan $ntlm_msg @${lmoff}a${lmlen} lmdata
binary scan $ntdata H* ntdata_h
binary scan $lmdata H* lmdata_h
HTTP::header replace SAPUserID $ntlm_user
}
default {
log local0. "NTLM type code was not parsed."
}
}
}
}
This should do what you want (although a little expensively, what with the Unicode handling loops and the decoding of the whole NTLM package -- PD, are you listening? 😆 ).
This code will not parse message types 1 and 2, but you really should only see a type 1 and 3 message from the client side -- and type doesn't contain much usable session data.
