EB-Peter
Apr 20, 2021Nimbostratus
STREAM::expression matches on single char only
STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@} never matches on the string "AUSEFPPKI03". If I substitute it with just an "A" (or any other character in the string), it does match but obviously doesn't give me the outcome I require. I've used this function before without issue.
I've simplified the fqdn down to ZZ.ZZ for privacy. The �� make me wonder if there's some wonky encoding going on. Any ideas?
STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@} :
> GET /certsrv/mscep/ HTTP/1.1
> Host: ZZ.ZZ
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Date: Tue, 20 Apr 2021 04:07:00 GMT
< P3P: CP="{}"
< Set-Cookie: TS90040b9b029=08b6df318aab28008d0777f97de08a8efa35a947e8622df6f571beb28129c9a727b559de4535fe5847692d9195a4b584; Max-Age=30; Path=/
< Transfer-Encoding: chunked
<
��<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="Arial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="Arial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> This URL is used by network devices to submit certificate requests. <P> To obtain an enrollment challenge password, go to the admin URL. By default, the admin URL is <A HREF=http://AUSEFPPKI03/CertSrv/mscep_admin>http://AUSEFPPKI03/CertSrv/mscep_admin</A> </P> <P ID=locPageDesc> For more information see <A HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </A>. </P></Font></Body></HTML>
STREAM::expression {@A@ZZ.ZZ@} :
> GET /certsrv/mscep/ HTTP/1.1
> Host: ZZ.ZZ
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Date: Tue, 20 Apr 2021 04:02:54 GMT
< P3P: CP="{}"
< Set-Cookie: TS90040b9b029=08b6df318aab2800bb24e7e9806d83fd6d72879a87a1fb24c4f1d3d4e8a86f0355194b1ba9ba3be02d17267fa7cbf7ae; Max-Age=30; Path=/
< Transfer-Encoding: chunked
<
��<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="ZZ.ZZrial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="ZZ.ZZrial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> This URL is used by network devices to submit certificate requests. <P> To obtain an enrollment challenge password, go to the admin URL. By default, the admin URL is <ZZ.ZZ HREF=http://ZZ.ZZUSEFPPKI03/CertSrv/mscep_admin>http://ZZ.ZZUSEFPPKI03/CertSrv/mscep_admin</ZZ.ZZ> </P> <P ID=locPageDesc> For more information see <ZZ.ZZ HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </ZZ.ZZ>. </P></Font></Body></HTML>
My iRule: (i added some superfluous logging to help me see when/where it was matching)
when HTTP_RESPONSE {
log local0. "when"
if {[HTTP::header value Content-Type] contains "text"}{
log local0. "if"
STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@}
STREAM::enable
}
}
when HTTP_REQUEST {
STREAM::disable
HTTP::header remove "Accept-Encoding"
}
when STREAM_MATCHED {
log local0.info "[IP::client_addr]_[TCP::local_port]: matched [STREAM::match]"
}