Forum Discussion
Marc_Kozera_108
Nimbostratus
NimbostratusTCP rule with b64decode
This is my TCP rule where I want to check RSTP packet for auth parameter. Everything seems to work, except when I want to b64decode passed string, I got:
Tue Jan 31 09:34:59 EST 2006 tmm tmm[1009] 01220001 TCL error: Rule test CLIENT_DATA - conversion error invoked from within b64decode $hashed
I cannot figure out why this is happening.
mms://192.168.1.1/1048111.mp3?auth=12:00:00;OTAwMTUwOTgzY2QyNGZiMGQ2OTYzZjdkMjhlMTdmNzI=
The auth parameter is time;base64encoded md5 hash
hashed string in these examples is "abc"
when CLIENT_ACCEPTED {
if {[TCP::local_port] == 554}{
TCP::collect 75
log local0. "Text1[findstr [TCP::payload] "auth=" 5]End"
}
}
when CLIENT_DATA {
log local0. "Text1[findstr [TCP::payload] "auth=" 5]End"
set token [findstr [TCP::payload] "auth=" 5]
log local0. "$token End"
if { [string length $token] != 0} {
set total [string first " " $token]
set total [expr $total-1]
set del [string first ";" $token];
set time [string range $token 0 $del]
set hashed [string range $token $del $total]
log local0. "time $time"
log local0. "hashed and base64encoded $hashed"
log local0. "token is there. checking if valid"
set base64decoded [b64decode $hashed]]
log local0. "base64decoded $base64decoded"
}
else {
log local0. "no token"
}
}
Below are the debugs:
Rule test CLIENT_DATA: Text112:00:00OTAwMTUwOTgzY2QyNGZiMGQ2OTYzZjdkMjhlMTdmNzI= RTSP/1.0 User-Agent: WMPlayer/10.0.0.380 guid/3300AD50-2C39-46C0-AE0A-36E84E0ABEED Accept: application/sdp Accept-Charset: UTF-8, *q=0.1 X-Accept-Authentication: Negotiate, NTLM, Digest, Basic Accept-Language: en-US, *q=0.1 CSeq: 1 Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.predstrm, com.microsoft.wm.startupprofile End
Tue Jan 31 09:34:59 EST 2006 tmm tmm[1009] Rule test CLIENT_DATA: 12:00:00OTAwMTUwOTgzY2QyNGZiMGQ2OTYzZjdkMjhlMTdmNzI= RTSP/1.0 User-Agent: WMPlayer/10.0.0.380 guid/3300AD50-2C39-46C0-AE0A-36E84E0ABEED Accept: application/sdp Accept-Charset: UTF-8, *q=0.1 X-Accept-Authentication: Negotiate, NTLM, Digest, Basic Accept-Language: en-US, *q=0.1 CSeq: 1 Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.predstrm, com.microsoft.wm.startupprofile End
Tue Jan 31 09:34:59 EST 2006 tmm tmm[1009] Rule test CLIENT_DATA: time 12:00:00
Tue Jan 31 09:34:59 EST 2006 tmm tmm[1009] Rule test CLIENT_DATA: hashed and base64encoded OTAwMTUwOTgzY2QyNGZiMGQ2OTYzZjdkMjhlMTdmNzI=
Tue Jan 31 09:34:59 EST 2006 tmm tmm[1009] Rule test CLIENT_DATA: token is there. checking if valid
Tue Jan 31 09:34:59 EST 2006 tmm tmm[1009] 01220001 TCL error: Rule test CLIENT_DATA - conversion error invoked from within b64decode $hashed
Marc_Kozera_108Figured it out. So md5 on BIGIP doesnt support hex hashes, unlike TCL (-hex parameter). It will give you raw md5. I tried to convert this raw md5 to hex using binary scan H* but this was giving incorrect results.
Lessons learned ....
- md5 on BIGIP gives you raw md5 ... hex md5, neither conversion doesnt work. So now instead of base64 encoded md5 hex hashes, i am using base64 md5 raw hashes
Hope that help somebody ...