Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Fabio_Sozzi_308's avatar
Fabio_Sozzi_308
Icon for Nimbostratus rankNimbostratus
Nov 30, 2010

Manipulates SSL payload for 2 Packets inside same session

Hi,

 

i've a problem with a creation of an iRule.

 

I have a session TCP and i need to manipulate the first two packets of the session. The packets NOT contain a Layer 7(HTTP,DNS,Ecc..) payload but only simple binary payload(a sequence of ASCII code).

 

 

 

My problem is that after the first packet, which can be manipulated with event CLIENT_ACCEPTED and CLIENT_DATA (and the method TCP::collect), i can't find a event that allows me to modify the next TCP payload packet.

 

 

 

if you can help I have set the HTTP profile. So the only events Layer 7 can be used are those HTTP.

 

 

 

There is an event that satisfies my request?

 

 

 

Thanks in advance for any response.

 

 

 

Kind Regards,

 

Fabio.

 

 

16 Replies

Show More
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 02, 2010
    Hi Fabio,

     

     

    I'll need to test this to see if I can figure something out. I'm not sure how quickly I can set something up though. I'll let you know as soon as I can though.

     

     

    Aaron
  • spark_86682's avatar
    spark_86682
    Historic F5 Account
    Jan 13, 2011
    Sorry for taking so long to get back to this, but I've only just now been able to set this up to make sure that this works as I expected.

    I think your problem can be solved simply by doing an SSL::release followed immediately by a second SSL::collect to capture the second data packet. Like so: 

       when CLIENTSSL_HANDSHAKE {
      log local0. "Collecting..."
      SSL::collect
      set flag 0
   }
   when CLIENTSSL_DATA {
      log local0. "Got [SSL::payload length] bytes plaintext"
       Release first set of data to connect to server
      SSL::release
      if { $flag == 0 } {
           Collect second set of data
          SSL::collect
          set flag 1
      }
   }
   when SERVER_CONNECTED {
      log local0. "Connected to server"
   }

    This works for me: I send one group of plaintext, the server gets connected to, and I can see the second group of plaintext in CLIENTSSL_DATA.

    The reason this works is that SSL::release (and TCP::release) release their held data immediately, in this case causing the server connection/LB decision to happen. Note that HTTP::release is special and different, and it does *not* (in all current versions of BIG-IP) release its data immediately, it waits until the current event is complete.

    Hope this helps!