Forum Discussion

EB-Peter's avatar
EB-Peter
Icon for Nimbostratus rankNimbostratus
Apr 20, 2021

STREAM::expression matches on single char only

STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@} never matches on the string "AUSEFPPKI03". If I substitute it with just an "A" (or any other character in the string), it does match but obviously doesn't give me the outcome I require. I've used this function before without issue.

I've simplified the fqdn down to ZZ.ZZ for privacy. The �� make me wonder if there's some wonky encoding going on. Any ideas?

STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@} :

> GET /certsrv/mscep/ HTTP/1.1
> Host: ZZ.ZZ
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Date: Tue, 20 Apr 2021 04:07:00 GMT
< P3P: CP="{}"
< Set-Cookie: TS90040b9b029=08b6df318aab28008d0777f97de08a8efa35a947e8622df6f571beb28129c9a727b559de4535fe5847692d9195a4b584; Max-Age=30; Path=/
< Transfer-Encoding: chunked
<
��<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="Arial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="Arial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> This URL is used by network devices to submit certificate requests. <P> To obtain an enrollment challenge password, go to the admin URL. By default, the admin URL is <A HREF=http://AUSEFPPKI03/CertSrv/mscep_admin>http://AUSEFPPKI03/CertSrv/mscep_admin</A> </P> <P ID=locPageDesc> For more information see  <A HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </A>. </P></Font></Body></HTML>

STREAM::expression {@A@ZZ.ZZ@} :

> GET /certsrv/mscep/ HTTP/1.1
> Host: ZZ.ZZ
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Date: Tue, 20 Apr 2021 04:02:54 GMT
< P3P: CP="{}"
< Set-Cookie: TS90040b9b029=08b6df318aab2800bb24e7e9806d83fd6d72879a87a1fb24c4f1d3d4e8a86f0355194b1ba9ba3be02d17267fa7cbf7ae; Max-Age=30; Path=/
< Transfer-Encoding: chunked
<
��<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="ZZ.ZZrial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="ZZ.ZZrial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> This URL is used by network devices to submit certificate requests. <P> To obtain an enrollment challenge password, go to the admin URL. By default, the admin URL is <ZZ.ZZ HREF=http://ZZ.ZZUSEFPPKI03/CertSrv/mscep_admin>http://ZZ.ZZUSEFPPKI03/CertSrv/mscep_admin</ZZ.ZZ> </P> <P ID=locPageDesc> For more information see  <ZZ.ZZ HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </ZZ.ZZ>. </P></Font></Body></HTML>

My iRule: (i added some superfluous logging to help me see when/where it was matching)

when HTTP_RESPONSE {
    log local0. "when"
    if {[HTTP::header value Content-Type] contains "text"}{
    log local0. "if"
        STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@}
        STREAM::enable
    }
}

when HTTP_REQUEST {
    STREAM::disable
    HTTP::header remove "Accept-Encoding"
}

when STREAM_MATCHED {
  log local0.info "[IP::client_addr]_[TCP::local_port]: matched [STREAM::match]"
}
  • Interesting. You may already be aware of the fact that stream expression is case sensitive.

    ​is response chunking set to selective in http profile? If not, can you assign custom http profile with "selective" response chunking and see if that makes any difference?

  • Hi Sanjay,

    Thanks for replying! I'm on 16.0.1 and the only options available are Unchunk, Rechunk, Sustain. There's no selective option. I tried all three anyway and they did not help my problem.

    It's not a case problem either.

    😟​

    • spalande's avatar
      spalande
      Icon for Nacreous rankNacreous

      What does the logging says? Does it even find the string?

      Would it be possible to try below iRule to see if this makes any difference just for testing?

      when RULE_INIT {
              set static::stream_response_body
              {
                       "AUSEFPPKI03====ZZ.ZZ"
      		 "ausefppki03====ZZ.ZZ"
       
              }
      	}	
       
      when HTTP_REQUEST {
          STREAM::disable
          HTTP::header remove "Accept-Encoding"
      } 
       
       
      when HTTP_RESPONSE {
              if {[llength $static::stream_response_body] > 0}
              {
                      set expression ""
                      foreach stream_request_rewriteRecord $static::stream_response_body
                      {
                              set stream_request_find [getfield $stream_request_rewriteRecord "====" 1]
                              set stream_request_replace [getfield $stream_request_rewriteRecord "====" 2]
                              if {$stream_request_replace == "nothing"}
                              {
                                      set stream_request_replace ""
                              }
       
                              set expression "$expression@$stream_request_find@$stream_request_replace@"
                      }
                      if {[HTTP::header Content-Type] contains "text" } {
                              if { [catch
                              {
                                      STREAM::expression $expression
                                      STREAM::enable
                              } result] }
                              {
                                      #log local0. "fffffffffff $result"
                              }
                      }
              }
        }
      • EB-Peter's avatar
        EB-Peter
        Icon for Nimbostratus rankNimbostratus

        My logging shows a match on any single char, but no match for two or more consecutive chars in the string.

         

        Your iRule produces the same http response as if there was no match.

  • The encoding on the HTML data a would appear to be UTF-8, as specified in the first META tag that appears in the HTML stream.

    <Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8">

    The default translation mode on a STREAM expression is ascii (which means ISO-8859-1, including ascii). Try adding a STREAM::encoding utf-8 command to the iRule (before the STREAM::enable) to see if that makes a difference.

    • EB-Peter's avatar
      EB-Peter
      Icon for Nimbostratus rankNimbostratus

      Where would you suggest I add that line? If I place it under 'HTTP_RESPONSE', i get the error:

       

       error: [command is not valid in current event context (HTTP_RESPONSE)][STREAM::encoding utf-8]