Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

JGranieri_10614's avatar
JGranieri_10614
Icon for Nimbostratus rankNimbostratus
Aug 20, 2014

How to remove content from TCP Payload

Hello,

I have a scenario where I need to 1 extract a token between a start and end characters and then 2 remove this data from tcp payload so this never makes it to the server.

I have 1 taken care of and the irule will look like this, but from what I researched on devcentral it would appears I need to use a TCP::replace command and use a content of 0 to actually remove this same string from tcp payload?? 

when CLIENTSSL_DATA {
   set payload [SSL::payload]
 set token [findstr $payload "PW=" 3 "PW_END"]

would using TCP::payload replace 0 0 $token work?

application delivery
devops
irules
LTM

2 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Aug 20, 2014

    shouldn't it be SSL::payload?

    SSL::payload

    https://devcentral.f5.com/wiki/iRules.SSL__payload.ashx

    ps. please ignore http header (content-length).

    e.g.

     config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when CLIENTSSL_HANDSHAKE {
  SSL::collect
}
when CLIENTSSL_DATA {
  set token [findstr [SSL::payload] "PW=" 3 "PW_END"]
  set newstring [string map [list "PW=${token}PW_END" ""] [SSL::payload]]
  SSL::payload replace 0 [SSL::payload length] ""
  SSL::payload replace 0 0 $newstring
  SSL::release
  SSL::collect
}
}

 trace

1 10 1408601582.3489 (0.0016)  C>SV3.1(272)  application_data
    ---------------------------------------------------------------
    POST / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.24.10
    Accept: */*
    Content-Length: 24
    Content-Type: application/x-www-form-urlencoded

    12345PW=bigipPW_END67890---------------------------------------------------------------
New TCP connection 2: 200.200.200.14(28672) <-> 200.200.200.101(80)
1408601582.3855 (0.0183)  C>S
---------------------------------------------------------------
POST / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.24.10
Accept: */*
Content-Length: 24
Content-Type: application/x-www-form-urlencoded

1234567890---------------------------------------------------------------
  • jgranieri's avatar
    jgranieri
    Icon for Nimbostratus rankNimbostratus
    Aug 21, 2014

    Yes your absolutely right it should be SSL::payload. I will try that format and see how it goes. Thanks for the response, very helpful