For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kadall_14553's avatar
Kadall_14553
Icon for Nimbostratus rankNimbostratus
Jun 01, 2016

Trying to log cookies that are not encrypted. Need some iRule syntax help

I'm trying to look in the HTTP response to get the names of all the cookies that get set in the connection for configuring encryption in the profiles. I found that all the cookies values that are encrypted have an ! at the beginning. So what I came up with so far is this:

when HTTP_RESPONSE {
    Loop through each cookie by name
   foreach cookie [HTTP::cookie names] {
       set cookievalue [HTTP::cookie value $cookie]
if { $cookievalue starts_with "!" } {
       Log the cookie name and value
      log local0. "Virtual Server: [virtual name], Cookie name: $cookie, Encrypted Cookie value: [HTTP::cookie value $cookie]"
        }
   }
}

This gets me cookies that are encrypted and logs them but what I want is to log the ones that I haven't found yet so I can put those in the profile. A simple reverse of this as NOT starts_with should work but I can't find the correct syntax.

Thanks for any help!

devops
iRules

6 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Jun 01, 2016

    This is the "NOT logic":

    if { not ($cookievalue starts_with "!") } {

    Let me know if this works.

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jun 01, 2016

    Hello

    You make it this way too

    If { !($cookievalue starts_with "!") } {

    Regards

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 01, 2016

    Hi,

    What kind of encryption provide and encrypted string starting with "!"

    If you are using hash or AES, you should identify an encrypted string by the end of the string ==

    I suppose that the irule should then be : 

    when HTTP_RESPONSE {
    Loop through each cookie by name
   foreach cookie [HTTP::cookie names] {
       set cookievalue [HTTP::cookie value $cookie]
       if { !($cookievalue ends_with "==") } {
           Log the cookie name and value
          log local0. "Virtual Server: [virtual name], Cookie name: $cookie, Unencrypted Cookie"
       }
   }
}
    • Kadall_14553's avatar
      Kadall_14553
      Icon for Nimbostratus rankNimbostratus
      Jun 03, 2016
      I was using the http profile to encrypt cookies. The value did also have the "==" at the end. I might switch to this though or maybe combine as the more characters to match the better for less false positives. Thx!
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 01, 2016

    Hi,

    What kind of encryption provide and encrypted string starting with "!"

    If you are using hash or AES, you should identify an encrypted string by the end of the string ==

    I suppose that the irule should then be : 

    when HTTP_RESPONSE {
    Loop through each cookie by name
   foreach cookie [HTTP::cookie names] {
       set cookievalue [HTTP::cookie value $cookie]
       if { !($cookievalue ends_with "==") } {
           Log the cookie name and value
          log local0. "Virtual Server: [virtual name], Cookie name: $cookie, Unencrypted Cookie"
       }
   }
}
    • Kadall_14553's avatar
      Kadall_14553
      Icon for Nimbostratus rankNimbostratus
      Jun 03, 2016
      I was using the http profile to encrypt cookies. The value did also have the "==" at the end. I might switch to this though or maybe combine as the more characters to match the better for less false positives. Thx!