Forum Discussion
Tal_BenHaim_112
Nimbostratus
Nimbostratuslog response ASM cookies
Hi,
How can i write an i-Rule that will log ASM cookies sent in Response (for a specific client IP)?
hoolioCirrostratus
Hi Tal,
Having ASM shouldn't actually change how you do this. You can look in the response for cookies starting with TS. Here is an example:when HTTP_RESPONSE { only look for TS cookies if it's a response to the specific client if {[IP::addr [IP::client_addr] equals 1.2.3.4]}{ loop through cookie names foreach aCookie [HTTP::cookie names] { log cookie names and values that start with TS if { $aCookie starts_with "TS"}{ log local0. "client: [IP::client_addr] has cookie $aCookie=[HTTP::cookie value $aCookie]" } } } }
Aaron
Tal_BenHaim_112Hello Aaron,
Thanks for the i-Rule.
How can I add the URI to the log ?
(I need to check that the client receives all the TS cookies I expect he should receive according to our ASM policy).
If I add an HTTPRequest event will it log the URI that matches the Response URI?
when HTTP_REQUEST {
if {[IP::addr [IP::client_addr] equals 195.250.33.253]}{
set uri [HTTP::uri]
log local0. "$uri "
}
}
when HTTP_RESPONSE {
only look for TS cookies if it's a response to the specific client
if {[IP::addr [IP::client_addr] equals 195.250.33.253]}{
loop through cookie names
foreach aCookie [HTTP::cookie names] {
log cookie names and values that start with TS
if { $aCookie starts_with "TS"}{
log local0. "client: [IP::client_addr] has cookie $aCookie=[HTTP::cookie value $aCookie]"
}
}
}
}- hoolioThat's correct. Here's a version that logs just one entry with the URI and cookie
when HTTP_REQUEST { if {[IP::addr [IP::client_addr] equals 195.250.33.253]}{ set uri [HTTP::uri] } } when HTTP_RESPONSE { only look for TS cookies if it's a response to the specific client if {[info exists uri]}{ loop through cookie names foreach aCookie [HTTP::cookie names] { log cookie names and values that start with TS if { $aCookie starts_with "TS"}{ log local0. "client: [IP::client_addr] received cookie $aCookie=[HTTP::cookie value $aCookie] in response to request for $uri" } } } }
Aaron - Tal_BenHaim_112Hello Aaron,
Thanks, I updated the i-Rule as you suggested but its logging every IP,
(not only the IP in the condition).
so I added another IF to the Response. (and now its logging only the requested IP)
do you have any idea why it didn't work?
when HTTP_REQUEST {
if {[IP::addr [IP::client_addr] equals 192.118.92.3]}{
set uri [HTTP::uri]
}
}
when HTTP_RESPONSE {
if {[IP::addr [IP::client_addr] equals 192.118.92.3]}{
only look for TS cookies if it's a response to the specific client
if {[info exists uri]}{
loop through cookie names
foreach aCookie [HTTP::cookie names] {
log cookie names and values that start with TS
if { $aCookie starts_with "TS"}{
log local0. "client: [IP::client_addr] received cookie $aCookie=[HTTP::cookie value $aCookie] in response to request for $uri"
}
}
}
}
}