TCP payload match and logging

That's probably almost right if you're doing the searching yourself. Except you'll need to consider boundary conditions as well. For example the "userid=" string may be split across the border of the TCP data payload that you've gathered.

 

 

Perhaps an easier way would be to use stream processing. Setup a stream that looks for the patterns you're interested in, and trigger on the STREAM_MATCHED event. In there you can pull and log the values. (You can either define the stream in a profile, and attach it, or define the stream you're looking for at run time the way the ProxyPass iRule does... In fact for a good example of stream processing see the ProxyPass iRule).

 

 

H

 

Interesting, never thought of using stream profile for that. What is the default logging mechanism for stream? As the entire purpose of the iRule is to log the values out of the payload, (being userid and timestamp as well as lb selected), if I can do that effectively via stream, far easier for me then an irule. M

Okay - So I've created the stream profile, with the following source values: userid= password= timestamp= Then the irule which triggers on stream match: when STREAM_MATCHED { Log each match found by the stream filter log local0. "Stream filter matched: [STREAM::match]" } Thoughts?

I have the stream profile matching as per my irule, however it is not returning the match value, rather it's telling me its matched and "when STREAM_MATCHED priority 32768000 " I was expecting the match value to be the userid value?? Any help would be greatly appreciated.

 

 

M

 

 

I now have the stream match working with @ However its base64 encoded, is there a way to decode this?

 

 

M

Got this working with regex, however probably not the best way going forward. I'd like to use findstr or matchstr instead, but having some teething issues around that.

 when STREAM_MATCHED {
  log each match found by the stream filter
 log local0. "Stream filter matched:[STREAM::match]"
  set myvar [STREAM::match]
  set 4 "blah"
  regexp {Username=(.+)\sUserpassword=(.+)\sUseremail=(.+)\sUserhomefolder=(.+)\s} $myvar matched sub1 sub2 sub3
  log local0. "Username=[b64decode $sub1] Userpassword=[b64decode $sub2] Usermail=[b64decode $sub3]"
}
when LB_SELECTED  {        
 set serverIP [LB::server addr]
 log local0. "LB Server IP $serverIP"
}

Thanks for that Colin, having a look at it now. I have another question for you :-), I'm trying to match a null value in stream and replace with a value that will cause the login to fail,

 @Userpassword="null"@Userpassword="000"

I'm trying to make sure that I only match and replace on null password values and not any valid password, however a blank field and a null value doesnt seem to work.

M

Interesting. Are you having trouble matching the null value or replacing it? If you're having trouble matching it then you'd want to do a dump or log and inspect what's actually being passed. It's like userpassword="" or something. That'll help you know what to tweak in your regex.

 

 

Colin

Hi Colin,

Trying to match the null value in

Userpassword= 

In base64 encoding a null character is

 = 

so I've also tried

 Userpassword=\"\"

however this didnt match.

My question is can Stream match a null value?

M

Hi Colin, Yeah tried that, I've attached the tcpdump and highlighted the values I want to match and also replace when null. Any advice would be greatly appreciated. When using the stream value, I'm matching the name in the tcpdump. M