Forum Discussion
gerald_wegener_
Nimbostratus
NimbostratusRegsub always returns a 1 never 0
I've tried running the script that is posted which uses regsub to search for Social Security Numbers in the form xxx-xx-xxxx. I've tried several different permuations of this but can never get anything but a value of "1" for $new_response1.
Click here to see the link to the iRule:
http://devcentral.f5.com/Default.aspx?TabID=29&newsType=ArticleView&articleId=25
The line in the last section:
if {$new_response1 !=0} {
then replace content...
}
Always returns a value of 1, even if there is no SSN found. I'm guessing that someone used != 0 to get it to work since it is never set to 0. i.e. if no SS is found.
21 Replies
- I found the problem with my version of the LUHN algorithm. I was trying to avoid the use of % as it is a relatively expensive operation compared to & (by a factor of about 10). Here is the corrected version:
Find ALL the possible credit card numbers in one pass set card_nums [regexp -all -inline {(?:3[4-7]\d{13})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} $payload] Now iterate over each one and check, categorize and log it foreach cardnum $card_nums { set cclen [string length $cardnum] set double [expr {$cclen & 1}] set chksum 0 for { set i 0 } { $i < $cclen } { incr i } { set c [string index $cardnum $i] if {($i & 1) == $double} { if {[incr c $c] >= 10} {incr c -9} } incr chksum $c } switch [string index $cardnum 0] { 3 { set type AmericanExpress } 4 { set type Visa } 5 { set type MasterCard } 6 { set type Discover } default { set type Unknown } } if { ($chksum % 10) == 0 } { set isCard valid } else { set isCard invalid } log local0. "Found $isCard $type CC $cardnum - Client SourceIP: $clientip Accessing URI: $clienturi via ServerIP: $serverip" }
I found a buddy with an Amex card and now have tested this with both my Visa cards and his Amex number and it appears to be working for both now.
Also, there is no need to check the lengths and or more than the first digit as the regular expression is only going to find card numbers according to the RE. 
gerald_wegener_I did some testing and it it looks like the lastest code works for MC/VISA/AMEX card numbers. I'll be digging in some more over the next days and weeks. Since I'm still getting up to speed on TCL/iRules I may tap your expertise again on this topic...
Thank you very much for your help with this, I really appreciate it.- Here is an improved example of the SSN scrubber which uses regexp -indices to only replace the specific portions of the payload. This has significantly better performance (I also changed the check for matching uris to use a class instead of a single if check):
class scrub_uris { "/cgi-bin", "/account" } rule ssn_scrubber { when HTTP_REQUEST { if { [matchclass [HTTP::uri] starts_with $::scrub_uris] } { set scrub_content 1 Don't allow data to be chunked if { [HTTP::version] eq "1.1" } { HTTP::version "1.0" } } else { set scrub_content 0 } } when HTTP_RESPONSE { if { $scrub_content } { if { [HTTP::header exists "Content-Length"] } { set content_length [HTTP::header "Content-Length"] } else { set content_length 4294967295 } if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_RESPONSE_DATA { Find the SSN numbers set ssn_indices [regexp -all -inline -indices {\d{3}-\d{2}-\d{4}} [HTTP::payload]] Scrub the SSN's from the response foreach ssn_idx $ssn_indices { set ssn_start [lindex $ssn_idx 0] set ssn_len [expr {[lindex $ssn_idx 1] - $ssn_start + 1}] HTTP::payload replace $ssn_start $ssn_len "xxx-xx-xxxx" } } } - gerald_wegener_FYI -
I was testing your latest credit card scrubber iRule and I noticed that the AMEX search portion looks incorrect. From what I can find publically AMEX cards can begin with a 34 or a 37. I looks like you are flagging 3[4-7] in the iRule. Should it be
3[4||7] instead? - You are correct. It's the same issue for Mastercard that starts with 51 or 55, not 51 through 55. I'll update the CreditCardScrubber sample in the iRules CodeShare section of the wiki..
http://devcentral.f5.com/wiki/default.aspx/iRules/CreditCardScrubber.html
Click here
-Joe - gerald_wegener_
I think Mastercard is 51-55 (51 though 55):
http://www.beachnet.com/~hstiles/cardtype.html - gerald_wegener_It looks like this iRule would check all returned objects/content (i.e. gifs, jpeg, html, css, etc.) for credit card numbers. Would it be possible to modify it to check only a limited number of content types e.g. html ?
- Good point. I've updated the wiki sample with a check to only test for text based responses (ie. Content-Type starts_with "text/"). If you need to be more specific, you could easily create a data group containing the content types you want to check for and replace my conditional with a matchclass command comparing the content-type to a member of the data group.
-Joe - gerald_wegener_I tried running the lastest script using matchclass but can't get it working. I first created a data group (string) called "ContentTypes" and added text/html, text/css, etc. - and replaced:
when HTTP_RESPONSE {
Only check responses that are a text content type
(text/html, text/xml, text/plain, etc).
if { [HTTP::header "Content-Type"] starts_with "text/" } {
with
when HTTP_RESPONSE {
Only check responses that in the data group "ContentTypes"
(text/html, text/xml, text/plain, etc).
if { [matchclass [HTTP::header "Content-Types] matches $::ContentTypes] } {
I tried a few variations but can't get it to work. - I believe the header is "Content-Type", not "Content-Types". Also, you aren't terminating the header name with a quote. That could be where your problem lies. I would use something like this:
... if { [matchclass [HTTP::header "Content-Type"] equals $::ContentTypes] } {
If that still doesn't work, the docs for matchclass say that you should use the data group first, but I've been told it should work both ways. You can try this as well.... if { [matchclass $::ContentTypes equals [HTTP::header "Content-Type"]] } {
If it still doesn't work, I'd throw in some logging as to what the value of [HTTP::header "Content-Type"] is.
-Joe
