Forum Discussion
Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS
that's because you never re-collect in the SERVER_DATA event. SERVER_CONNECTED only fires once, SERVER_DATA will fire again when data is received from the server if raised by a collect in that event. It comes after your release. For some guidance (large iRules but focus in on the release/collect mechanics), consider https://devcentral.f5.com/s/articles/starttls-server-smtp-with-cleartext-and-starttls-client-support-1209 or https://devcentral.f5.com/s/articles/ldap-stats-measuring
Thanks for the pointer on re invoking the TCP::collect after the release as that worked! I'm struggling with the binary scan so I'm working on a crawl, walk, run approach. For now, crawl would be what can I see and logging it, walk would be can I block user(s) starts with a particular pattern - let's call it DEVDBTEST*, allow only test CCN ranges (documented) otherwise drop and log. Run would be masking data and sending some type of alert if any of the previous were detected. The challenges I see it are, the username doesn't appear in every packet collected making it difficult to take action like drop difficult, I'm getting hits on tests in my Test CCN datagroup (key with no value i.e. a list), and I'm uncertain despite my best efforts how to log matches found in my datagroup to know I'm headed in the right direction. I really appreciate you for taking the time to provide guidance and insight!
Updated iRule:
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
set sd_datalen [TCP::offset]
log local0.info "Server Data Length is: $sd_datalen"
set sd_payload [string tolower [TCP::payload]]
#log local0.info "Server Data Payload Collected is: $sd_payload"
# Check if Card is part of authorized list
if { $sd_payload contains "DEVDBTEST" or [class match $sd_payload contains ccn_auth]} { log local0.info "Authorized Data Found" }
else { log local0.info "No Authorized Data Found :("}
TCP::release
TCP::collect
}
Datagroup
ltm data-group internal ccn_auth {
records {
1111-11 { }
111111 { }
211-11 { }
21111 { }
311-11 { }
31111 { }
}
type string
}
/jeff
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com