Regsub always returns a 1 never 0

Yes, that example is wrong. Here is the correct HTTP_RESPONSE_DATA:

 
 when HTTP_RESPONSE_DATA { 
    set payload [HTTP::payload [HTTP::payload length]] 
    set ssnx “xxx-xxx-xxxx” 
     Find the SSN numbers 
    if { [regsub -all {\d{3}-\d{2}-\d{4}} $payload $ssnx new_response] > 0 } { 
        Replace the content if there was any matches 
       HTTP::payload replace 0 [HTTP::payload length] $new_response 
    } 
 } 
 

Basically, the variable "new_response" always contains the original payload, except that is has been modified per the regsub. The command returns the count of the number of matching ranges that were found and replaced.

Thanks for catching and pointing this mistake out. I will get the article corrected.

 

 

I get basically the some result. Even if I have a SSN in the HTTP payload this fails through to the else statement i.e. no SSN Found.

 

Same thing if there is not an SSN number in the payload. Finding

 

the SSN's was never a problem but now it doesn't look like its even finding them.

 

 

when HTTP_RESPONSE_DATA {

 

set payload [HTTP::payload [HTTP::payload length]]

 

set mcnx ?xxMASTERCARDxx?

 

set visanx ?xxxxxVISAxxxxx?

 

set amexnx ?xxxxxAMEXxxxxx?

 

set ssnx xxx-xx-xxxx

 

Find the SSNumbers

 

if { [regsub -all {/d{3}-/d{2}-/d{4}} $payload ssnx new_response] > 0 } {

 

log local0. "Outbound SSNumber Alert!!!"

 

log local0. $new_response

 

}

 

else {

 

log local0. "NO SSN Found!"

 

log local0. $new_response

 

}

 

 

 

Here is the output with the SSN:

 

 

Jul 12 00:36:35 tmm tmm[744]: Rule creditcard_detector : NO SSN Found!

 

Jul 12 00:36:35 tmm tmm[744]: Rule creditcard_detector : File: 4k.htm, Block 0000/0004.................................. 0000 00: 012-34-56789ABCDEFABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghyjkl 111-22-3333 0000 01: 0123456789ABCDEFABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghyjkl 0000 02: 0123456789ABCDEFABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghyjkl 0000

Perhaps it's because the regex isn't right. It looks light you have forward slashes / instead of backslashes \:

 
 {/d{3}-/d{2}-/d{4}} 
 

should be:

 
 {\d{3}-\d{2}-\d{4}} 
 

Thank you. That looks like it works. \ and / look the same to me at this point in my day! Is there a way for me to

 

grab the SSN's or Credit Card Numbers (I'm adding those) to variables

 

so I can process them further e.g. log them, do a MOD10 check for

 

valid credit card numbers, etc.

 

 

Thx

You can use the Tcl command 'regexp' to match a regular expression and have it return the matched portions.

So, for example,

 
 set card_nums [regexp -all -inline {\d{4}-\d{4}-\d{4}-\d{4}} $payload] 
 if { $card_nums ne "" } { 
    log "Found credit card numbers: $card_nums" 
 } 
 

Unfortunately, we have followed the standard for syslog (RFC3164) which states:

 

 

4.1 syslog Message Parts

 

 

The full format of a syslog message seen on the wire has three

 

discernable parts. The first part is called the PRI, the second part

 

is the HEADER, and the third part is the MSG. The total length of

 

the packet MUST be 1024 bytes or less. There is no minimum length of

 

the syslog message although sending a syslog packet with no contents

 

is worthless and SHOULD NOT be transmitted.

 

 

Therefore, the only way for you to log more than 1024 bytes would be through multiple log statements. Also be sure to read this post:

 

Click here - http://devcentral.f5.com/default.aspx?tabid=28&view=topic&forumid=5&postid=2921

Oh, I forgot to add that if you want to scrub the CC, then you'll likely want to change the regexp to --indices which will return a list of the start, end index of each match. You can then use string range to extract each card num for validation but then use the indices with the command "HTTP::payload replace " to scrub out the card number (replacing just sections of the payload is going to be more efficient than replacing the entire thing with a modified $payload variable).

Thank you. I tried combining the regsub's and it looks like

 

it reduced the CPU load 5-10% compared to doing sequential searches. Furthermore if I add expressions to the combined regsub it appears to have a minimial impact on CPU vs adding another sequential search!

 

Good call!

 

 

I was just testing your MOD10 check and it looks OK for MC and VISA but

 

does not work for AMEX. I've tried 2 valid amex card numbers and it flags them both as invalid. I've looked at the code but quite frankly I'm still working on deciphering it. Can you please take a look?

 

 

Thx

I did some more troubleshooting on this. Best I can tell it looks like valid AMEX numbers are flagged as invalid and invalid numbers are flagged as valid, at least with a few test card numbers.

 

I logged the checksum for a valid amexcard number (which I x'd out). I'm

 

sure it's valid. This is a log enrty:

 

 

 

Jul 13 20:07:21 tmm tmm[733]: Rule CC_Parser_03 : Found invalid AmericanExpress CC xxxxxxxxxxxxxxx Checks

 

um (49%10)- Client SourceIP: 10.254.101.1 Accessing URI: /plhomepage_ALL.htm via ServerIP: 10.254.105.14