Forum Discussion
Scan command and variables in a SSL transaction
I'm trying to capture some client IP/SSL cipher information as well as a 23 character string of text that will be divided up into two identifiers.
are the 23 chars in http request? if yes, isn't it easier to just use http_request event? ssl::payload is http request.
e.g.
// config
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
clientssl {
context clientside
}
tcp { }
}
rules {
qux
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 4
}
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
log local0. "SSL_CUSTOM: Connection of Client Source IP: [IP::client_addr]:[TCP::client_port]<-->[virtual name]<-->[LB::server]"
}
when CLIENTSSL_HANDSHAKE {
if { [SSL::cipher bits] > 0 } then {
log local0. "Client: [IP::client_addr] is using [SSL::cipher version]. SSL Cipher:[SSL::cipher name]. Virtual:[virtual]. SSL Profile:[PROFILE::clientssl name]."
SSL::collect
}
}
when CLIENTSSL_DATA {
log local0. [SSL::payload]
SSL::release
}
}
// client
curl -ik https://172.28.24.10
HTTP/1.1 200 OK
Date: Wed, 27 Dec 2017 01:06:34 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 15 Apr 2016 03:55:49 GMT
ETag: "418e44-6a-fc825b40"
Accept-Ranges: bytes
Content-Length: 106
Content-Type: text/html; charset=UTF-8
This is 101 host.
// log
[root@ve13a:Active:In Sync] config tail -f /var/log/ltm
Dec 27 08:56:49 ve13a info tmm[17969]: Rule /Common/qux : SSL_CUSTOM: Connection of Client Source IP: 172.28.24.1:32806<-->/Common/bar<-->/Common/foo 0
Dec 27 08:56:49 ve13a info tmm[17969]: Rule /Common/qux : Client: 172.28.24.1 is using TLSv1.2. SSL Cipher:ECDHE-RSA-AES128-GCM-SHA256. Virtual:/Common/bar. SSL Profile:/Common/clientssl.
Dec 27 08:56:49 ve13a info tmm[17969]: Rule /Common/qux : GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 172.28.24.10 Accept: */*
by the way, scan command returns number of conversions performed (not string that matches a conversion specifier). in short, combo variable should be after the scan command.
e.g.
scan [SSL::payload] {[0-9]{8}[0-9]{15}){1}} combo
scan
https://www.tcl.tk/man/tcl/TclCmd/scan.htmOk, we are closer guys. Thanks so far. This is not an HTTPS transaction according to the application group I'm working with
scan [SSL::payload] {[0-9]{8}[0-9]{15}){1}} combo
Does scan perform the same search action as a regex?
I've attached a screenshot of a log capture I ran on the LTM. If I run a regex against a log file, It does capture the 23 characters properly.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com