Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS

Thanks for the pointer on re invoking the TCP::collect after the release as that worked! I'm struggling with the binary scan so I'm working on a crawl, walk, run approach. For now, crawl would be what can I see and logging it, walk would be can I block user(s) starts with a particular pattern - let's call it DEVDBTEST*, allow only test CCN ranges (documented) otherwise drop and log. Run would be masking data and sending some type of alert if any of the previous were detected. The challenges I see it are, the username doesn't appear in every packet collected making it difficult to take action like drop difficult, I'm getting hits on tests in my Test CCN datagroup (key with no value i.e. a list), and I'm uncertain despite my best efforts how to log matches found in my datagroup to know I'm headed in the right direction. I really appreciate you for taking the time to provide guidance and insight!

Updated iRule:

when SERVER_CONNECTED { 

 TCP::collect

}

when SERVER_DATA {

 set sd_datalen [TCP::offset]

   log local0.info "Server Data Length is: $sd_datalen"

 set sd_payload [string tolower [TCP::payload]]

   #log local0.info "Server Data Payload Collected is: $sd_payload"

   # Check if Card is part of authorized list

  if { $sd_payload contains "DEVDBTEST" or [class match $sd_payload contains ccn_auth]} { log local0.info "Authorized Data Found" }

  else { log local0.info "No Authorized Data Found :("}

 TCP::release

 TCP::collect

}

Datagroup

ltm data-group internal ccn_auth {

   records {

       1111-11 { }

       111111 { }

       211-11 { }

       21111 { }

       311-11 { }

       31111 { }

  }

   type string

}

/jeff