Forum Discussion
gerald_wegener_
Nimbostratus
NimbostratusRegsub always returns a 1 never 0
I've tried running the script that is posted which uses regsub to search for Social Security Numbers in the form xxx-xx-xxxx. I've tried several different permuations of this but can never get anything but a value of "1" for $new_response1.
Click here to see the link to the iRule:
http://devcentral.f5.com/Default.aspx?TabID=29&newsType=ArticleView&articleId=25
The line in the last section:
if {$new_response1 !=0} {
then replace content...
}
Always returns a value of 1, even if there is no SSN found. I'm guessing that someone used != 0 to get it to work since it is never set to 0. i.e. if no SS is found.
- Yes, that example is wrong. Here is the correct HTTP_RESPONSE_DATA:
when HTTP_RESPONSE_DATA { set payload [HTTP::payload [HTTP::payload length]] set ssnx “xxx-xxx-xxxx” Find the SSN numbers if { [regsub -all {\d{3}-\d{2}-\d{4}} $payload $ssnx new_response] > 0 } { Replace the content if there was any matches HTTP::payload replace 0 [HTTP::payload length] $new_response } }
Basically, the variable "new_response" always contains the original payload, except that is has been modified per the regsub. The command returns the count of the number of matching ranges that were found and replaced.
Thanks for catching and pointing this mistake out. I will get the article corrected. 
gerald_wegener_
I get basically the some result. Even if I have a SSN in the HTTP payload this fails through to the else statement i.e. no SSN Found.
Same thing if there is not an SSN number in the payload. Finding
the SSN's was never a problem but now it doesn't look like its even finding them.
when HTTP_RESPONSE_DATA {
set payload [HTTP::payload [HTTP::payload length]]
set mcnx ?xxMASTERCARDxx?
set visanx ?xxxxxVISAxxxxx?
set amexnx ?xxxxxAMEXxxxxx?
set ssnx xxx-xx-xxxx
Find the SSNumbers
if { [regsub -all {/d{3}-/d{2}-/d{4}} $payload ssnx new_response] > 0 } {
log local0. "Outbound SSNumber Alert!!!"
log local0. $new_response
}
else {
log local0. "NO SSN Found!"
log local0. $new_response
}
Here is the output with the SSN:
Jul 12 00:36:35 tmm tmm[744]: Rule creditcard_detector : NO SSN Found!
Jul 12 00:36:35 tmm tmm[744]: Rule creditcard_detector : File: 4k.htm, Block 0000/0004.................................. 0000 00: 012-34-56789ABCDEFABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghyjkl 111-22-3333 0000 01: 0123456789ABCDEFABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghyjkl 0000 02: 0123456789ABCDEFABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghyjkl 0000- Perhaps it's because the regex isn't right. It looks light you have forward slashes / instead of backslashes \:
{/d{3}-/d{2}-/d{4}}
should be:{\d{3}-\d{2}-\d{4}} - gerald_wegener_Thank you. That looks like it works. \ and / look the same to me at this point in my day! Is there a way for me to
grab the SSN's or Credit Card Numbers (I'm adding those) to variables
so I can process them further e.g. log them, do a MOD10 check for
valid credit card numbers, etc.
Thx - You can use the Tcl command 'regexp' to match a regular expression and have it return the matched portions.
So, for example,set card_nums [regexp -all -inline {\d{4}-\d{4}-\d{4}-\d{4}} $payload] if { $card_nums ne "" } { log "Found credit card numbers: $card_nums" } - Unfortunately, we have followed the standard for syslog (RFC3164) which states:
4.1 syslog Message Parts
The full format of a syslog message seen on the wire has three
discernable parts. The first part is called the PRI, the second part
is the HEADER, and the third part is the MSG. The total length of
the packet MUST be 1024 bytes or less. There is no minimum length of
the syslog message although sending a syslog packet with no contents
is worthless and SHOULD NOT be transmitted.
Therefore, the only way for you to log more than 1024 bytes would be through multiple log statements. Also be sure to read this post:
Click here - http://devcentral.f5.com/default.aspx?tabid=28&view=topic&forumid=5&postid=2921 - Oh, I forgot to add that if you want to scrub the CC, then you'll likely want to change the regexp to --indices which will return a list of the start, end index of each match. You can then use string range to extract each card num for validation but then use the indices with the command "HTTP::payload replace " to scrub out the card number (replacing just sections of the payload is going to be more efficient than replacing the entire thing with a modified $payload variable).
- gerald_wegener_Thank you. I tried combining the regsub's and it looks like
it reduced the CPU load 5-10% compared to doing sequential searches. Furthermore if I add expressions to the combined regsub it appears to have a minimial impact on CPU vs adding another sequential search!
Good call!
I was just testing your MOD10 check and it looks OK for MC and VISA but
does not work for AMEX. I've tried 2 valid amex card numbers and it flags them both as invalid. I've looked at the code but quite frankly I'm still working on deciphering it. Can you please take a look?
Thx - gerald_wegener_I did some more troubleshooting on this. Best I can tell it looks like valid AMEX numbers are flagged as invalid and invalid numbers are flagged as valid, at least with a few test card numbers.
- gerald_wegener_
I logged the checksum for a valid amexcard number (which I x'd out). I'm
sure it's valid. This is a log enrty:
Jul 13 20:07:21 tmm tmm[733]: Rule CC_Parser_03 : Found invalid AmericanExpress CC xxxxxxxxxxxxxxx Checks
um (49%10)- Client SourceIP: 10.254.101.1 Accessing URI: /plhomepage_ALL.htm via ServerIP: 10.254.105.14
