Forum Discussion
NimbostratusiRule dump files
Hi DevCentral Community,
I would like to know if it is possible to collect files that pass through F5 VIP (via HTTP POST) using an iRule that dumps the tcp payload.
Thanks.
D.
IheartF5_45022Nacreous
Hi Yes you can use HTTP::collect
https://devcentral.f5.com/wiki/iRules.HTTP__collect.ashx
Beware - it's processor intensive.
Here is a variation on the sample in the link above where you could send the payload off to a logging server;-
when HTTP_REQUEST { if {[HTTP::method] eq "POST"}{ Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { Send payload to logging server if ![info exists hsl] { set hsl [HSL::open -proto tcp -pool pl_syslog_servers] } HSL::send $hsl "[HTTP::payload]\n" } }
DamP_320463Thank your for your quick answer.
I tried to test this with a little modification but I am not seeing the file payload as you can see:
when HTTP_REQUEST_DATA { set payload [HTTP::payload] set hash [ sha256 [HTTP::payload]] log local0. "HASH is $hash and PAYLOAD is $payload" }HASH is:
Q.ˆ¬õáì¾wñþà –œ(4u�L¹,R=ä ú
and PAYLOAD is ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000000 ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="from" 1 ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="dircor" ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ Content-Disposition: form-data; name="file"; filename="New Text Document.pdf" Content-Type: application/octet-stream ------WebKitFormBoundaryF4AYhFSjOTYIpqcZ--
I would like to extract the file and check the hash, What I am missing?
Thanks!
- IheartF5_45022
OK we can do this :-)
The payload is there in the $payload variable, but 'log local0.' only logs about 500 bytes and then truncates.
We also need to know a few things - can you log the headers (log local0. "[HTTP::request]") so wecan see what's in there? Will get back to you tomorrow....