CirrostratusI have a similar use case, but with a non HTTP VIP that is in front of a DB2 database. It's a standard VS with only a TCP wan optimized profile attached that we need to DLP protect whether it be iRule or similar to ASM. In looking a sample packet capture I was able to capture a below from a sample database entry created to see if we can mask and log when we get hits for our SIEM.
.X.Q...R
.D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!....!F..7.S...1$P....'FOR READ ONLY WITH EXTENDED INDICATORS ..*.C...$$......SELECT * FROM tblAccounts..S.A...M ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!F..[.....U ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!.......!]..n.C...h$......00000SQL11014......................... ..TESTDB ..............U................................................ACCTINT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTINT......................................ACCTCHAR..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTCHAR......................................COMMENTS..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....COMMENTS......................................DT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....DT..........C....$...2.R...,"....I....!.$...!....!P...![..........$`$B.(.S..."$..v....>..?..%.. q.T......q.....B.S...<$....q........1111111111111111...Contains an account number 1111-1111-1111-1111.2019-07-08-16.15.29.444000.....[......2111111111111111...Contains an account number 2111-1111-1111-1111.2019-07-08-16.15.53.382000...q...
....3111111111111111...Contains an account number 3111-1111-1111-1111.2019-07-08-16.18.25.071000.&.R... "....I....!.......@@@@@@@@@@@@.Y.....S$..d...02000SQLRI01F......................... ..TESTDB ............. ..........+.R...%"....I....!....!.......@@@@@@@@@@@@...S....$.......................U.X.Q...R
.D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!....!F..7.S...1$P....'FOR READ ONLY WITH EXTENDED INDICATORS ..*.C...$$......SELECT * FROM tblAccounts..S.A...M ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!F..[.....U ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!.......!]..n.C...h$......00000SQL11014......................... ..TESTDB ..............U................................................ACCTINT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTINT......................................ACCTCHAR..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTCHAR......................................COMMENTS..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....COMMENTS......................................DT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....DT..........C....$...2.R...,"....I....!.$...!....!P...![..........$`$B.(.S..."$..v....>..?..%.. q.T......q.....B.S...<$....q........1111111111111111...Contains an account number 1111-1111-1111-1111.2019-07-08-16.15.29.444000.....[......2111111111111111...Contains an account number 2111-1111-1111-1111.2019-07-08-16.15.53.382000...q...
....3111111111111111...Contains an account number 3111-1111-1111-1111.2019-07-08-16.18.25.071000.&.R... "....I....!.......@@@@@@@@@@@@.Y.....S$..d...02000SQLRI01F......................... ..TESTDB ............. ..........+.R...%"....I....!....!.......@@@@@@@@@@@@...S....$.......................p.X.Q...R
.D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!....!F..7.S...1$P....'FOR READ ONLY WITH EXTENDED INDICATORS ..*.C...$$......SELECT * FROM tblAccounts..S.A...M ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!F..[.....U ..D!.......@@@@@@@@@@@@......@@@@@@@@@@@@........@@@@@@@@@@SYSLVL01....!.......!]..n.C...h$......00000SQL11014......................... ..TESTDB ..............U................................................ACCTINT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTINT......................................ACCTCHAR..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....ACCTCHAR......................................COMMENTS..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....COMMENTS......................................DT..........................TESTDB..TBLACCOUNTS....TBLACCOUNTS....DB2ADMIN....DT..........C....$...2.R...,"....I....!.$...!....!P...![..........$`$B.(.S..."$..v....>..?..%.. q.T......q.....B.S...<$....q........1111111111111111...Contains an account number 1111-1111-1111-1111.2019-07-08-16.15.29.444000.....[......2111111111111111...Contains an account number 2111-1111-1111-1111.2019-07-08-16.15.53.382000...q...
....3111111111111111...Contains an account number 3111-1111-1111-1111.2019-07-08-16.18.25.071000.&.R... "....I....!.......@@@@@@@@@@@@.Y.....S$..d...02000SQLRI01F......................... ..TESTDB ............. ..........+.R...%"....I....!....!.......@@@@@@@@@@@@...S....$.......................R