Forum Discussion
How can I do binary match filter for UDP payload ?
Hi all,
========= V4.5 iRule
rule content_udp {
if (udp_content contains <0x03,0x77,0x77,0x77,0x04,0x64,0x65,0x6c,0x6c,0x03,0x63,0x6f,0x6d>) {
log "Found www.dell.com"
use pool dnstest
}
else if (udp_content contains <0x03,0x77,0x77,0x77,0x02,0x66,0x35,0x03,0x63,0x6f,0x6d>) {
log "Found f5"
use pool dnstest
}
else {
log "Not correct Domain"
discard
In the above V4.5 iRule.
How can I translate “udp_content contains <0x03,0x77,0x77,0x77,0x04,0x64,0x65,0x6c,0x6c,0x03,0x63,0x6f,0x6d> "
into V9 ?
1 Reply
- In Tcl, you can use backslash escape sequences to encode binary characters.
So, for the following v4.x rule:
if (udp_content contains <0x03,0x77,0x77,0x77,0x04,0x64,0x65,0x6c,0x6c,0x03,0x63,0x6f,0x6d>)
the v9 equivalent is:
if {[UDP::payload] contains "\003www\004dell\003com" }
Tcl/iRules supports several forms of backslash encoding:
The first is a backslash '\' followed by the octal value for the character.
The second is '\x' followed by the hexadecimal value. However, there is a known issue that will be fixed in 9.0.3 where Tcl consumes all hexadecimal characters following the \x but only uses the last 2. Because of this I do not recommend using the hexadecimal form until 9.0.3.
The third is the unicode form '\u' which encodes two bytes using hexadecimal. For example \u036d would be equivalent to either \x03\x6d or \003\155. I don't really recommend this method either, as it's really suited to creating two-byte unicode characters (that is unless that's what you are trying to accomplish).
The last is the common backslash escape characters. For example, '\r' for a carriage return (hex 0x0d) or '\n' for line feed (hex 0x0a).
Please go to the Tcl reference page for a complete list of available backslash escape sequences: http://tmml.sourceforge.net/doc/tcl/Tcl.html
