Forum Discussion

bongshanks's avatar
bongshanks
Icon for Nimbostratus rankNimbostratus
Dec 26, 2017

Scan command and variables in a SSL transaction

Hey folks, I'm trying to finish an iRule and I'd appreciate some critiquing or advice. I'm trying to capture some client IP/SSL cipher information as well as a 23 character string of text that will...
BIG-IP
iRules
security
nitass's avatar
nitass
Icon for Employee rankEmployee
Dec 27, 2017

I'm trying to capture some client IP/SSL cipher information as well as a 23 character string of text that will be divided up into two identifiers.

are the 23 chars in http request? if yes, isn't it easier to just use http_request event? ssl::payload is http request.

e.g.

// config

root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vs-index 4
}
root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
when CLIENT_ACCEPTED {
  log local0. "SSL_CUSTOM: Connection of Client Source IP: [IP::client_addr]:[TCP::client_port]<-->[virtual name]<-->[LB::server]"
}
when CLIENTSSL_HANDSHAKE {
  if { [SSL::cipher bits] > 0 } then {
    log local0. "Client: [IP::client_addr] is using [SSL::cipher version]. SSL Cipher:[SSL::cipher name]. Virtual:[virtual]. SSL Profile:[PROFILE::clientssl name]."
    SSL::collect
  }
}
when CLIENTSSL_DATA {
  log local0. [SSL::payload]
  SSL::release
}
}

// client

 curl -ik https://172.28.24.10
HTTP/1.1 200 OK
Date: Wed, 27 Dec 2017 01:06:34 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 15 Apr 2016 03:55:49 GMT
ETag: "418e44-6a-fc825b40"
Accept-Ranges: bytes
Content-Length: 106
Content-Type: text/html; charset=UTF-8






This is 101 host.




// log

[root@ve13a:Active:In Sync] config  tail -f /var/log/ltm
Dec 27 08:56:49 ve13a info tmm[17969]: Rule /Common/qux : SSL_CUSTOM: Connection of Client Source IP: 172.28.24.1:32806<-->/Common/bar<-->/Common/foo 0
Dec 27 08:56:49 ve13a info tmm[17969]: Rule /Common/qux : Client: 172.28.24.1 is using TLSv1.2. SSL Cipher:ECDHE-RSA-AES128-GCM-SHA256. Virtual:/Common/bar. SSL Profile:/Common/clientssl.
Dec 27 08:56:49 ve13a info tmm[17969]: Rule /Common/qux : GET / HTTP/1.1  User-Agent: curl/7.29.0  Host: 172.28.24.10  Accept: */*

by the way, scan command returns number of conversions performed (not string that matches a conversion specifier). in short, combo variable should be after the scan command.

e.g.

scan [SSL::payload] {[0-9]{8}[0-9]{15}){1}} combo

scan

https://www.tcl.tk/man/tcl/TclCmd/scan.htm
bongshanks's avatar
bongshanks
Icon for Nimbostratus rankNimbostratus
Dec 27, 2017

Ok, we are closer guys. Thanks so far. This is not an HTTPS transaction according to the application group I'm working with

scan [SSL::payload] {[0-9]{8}[0-9]{15}){1}} combo

Does scan perform the same search action as a regex?

I've attached a screenshot of a log capture I ran on the LTM. If I run a regex against a log file, It does capture the 23 characters properly.