For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

rmoss25's avatar
rmoss25
Icon for Altostratus rankAltostratus
Feb 12, 2014

Redirect Based On IP within Payload Of UDP Packet

Hi, I am trying to redirect UDP (syslog) traffic to specific pools based on the IP addresses within the packet. Currently we have the following irule

    when CLIENT_ACCEPTED {
        if { [IP::client_addr] equals "172.16.99.210" } {
          pool ASA-Redirect member 10.1.52.13:8080
        }
}

The problem is that it never sees traffic from 172.16.99.210 because this is a source IP burried within the syslog UDP packet. Is there a way to look at the payload of a syslog packet for the source IP 172.16.99.210 and then redirect to the pool ASA-Redirect?

Thanks

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 13, 2014

    This is actually pretty straight forward, but 1) you have to know how the data is presented in the syslog UDP payload, and 2) you have to string parse it from that payload. Here's an example:

    when CLIENT_DATA {
    set src [findstr [UDP::payload] "src=" 4 ","]
    if { $src equals "172.16.99.210" } {
        pool a_pool
    }
}

    where in this example the UDP payload had something like the following in it:

    Request from src=172.16.99.210, to dst=10.10.10.12

    Again, just an example. You'd use the UDP::payload command to expose the UDP data in the CLIENT_DATA event, and then use whatever string parsing function you need to extract the data.