Forum Discussion
Cirrusnon-http stream match/catch
I have a standard VS on an LTM. tcp1521 TNS (to Oracle DB server). I am trying to match on a string that occurs often ('ORA-01403: no data found'). I know that the string is going through the VS, as I run simultaneous tcpdumps.
I have had success with http stream matching, but don't know how to go about a just plain TCP traffic flow. Below is the iRule that I have tried.
when CLIENT_ACCEPTED {
Replace 'ORA-01403:' with 'ORA-01403:'
STREAM::expression {@ORA-01403@ORA-01403@}
STREAM::enable
}
when STREAM_MATCHED {
set hsl [HSL::open -proto UDP -pool HIGH_SPEED_LOGGING] HSL::send $hsl "DNA_STREAM,MATCH FOUND!"
}
From the wiresharks, it seems as though the text is simply ascii. Any suggestions?
2 Replies
- Kevin_Stewart
Employee
The issue is that there's not enough data present in the CLIENT_ACCEPTED event, which is triggered at the end of a successful TCP 3-way handshake. If you want to see TCP payload you have to collect (ie. buffer) that payload:
when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { Replace 'ORA-01403:' with 'ORA-01403:' STREAM::expression {@ORA-01403@ORA-01403@} STREAM::enable TCP::release } when STREAM_MATCHED { set hsl [HSL::open -proto UDP -pool HIGH_SPEED_LOGGING] HSL::send $hsl "DNA_STREAM,MATCH FOUND!" } 
OTS02Yessssss!! that works - thanks. BTW, first time I tried it - did not work for me. Then I realized, that the strings that I am looking for are actually coming from the SERVER. So changed things around some :
when SERVER_CONNECTED {
TCP::collect}
when SERVER_DATA {
Replace 'ORA-01403:' with 'ORA-01403:' STREAM::expression {@ORA-01403@ORA-01403@} STREAM::enable TCP::release}
when STREAM_MATCHED {
set hsl [HSL::open -proto UDP -pool HIGH_SPEED_LOGGING] HSL::send $hsl "hsl_BL_DNA_sandbox, DNA_STREAM,MATCH FOUND!"}
