Help with scan and cookie

AlexDeMarco · ‎19-Feb-2020

I am trying to parse out the ip and port being used is a persistence cookie

the Cookie name BIGipServer~TESTPartition~TEST_Server_7001

I found the snippet of code below:

scan [HTTP::cookie $bigipcookie] {%*[^\f]%*4x%2x%2x%2x%2xo%i} a b c d e

set Ip $a.$b.$c.$d

set Port $e

But it does not work I believe the scan does not like the format and I can't change the cookie format.

Any ideas how to modify it?

Nathan_F__F5_ · ‎20-Feb-2020

Hi Alex,

If the scan is saying that it doesn't like the IP and port being displayed in the cookie then you may just be able to enable cookie encryption. Please see the two articles below for more information.

K14784: Configuring cookie encryption within the HTTP profile (10.x - 15.x)

https://support.f5.com/csp/article/K14784

K23254150: Configuring cookie encryption for BIG-IP persistence cookies from the cookie persistence profile

https://support.f5.com/csp/article/K23254150

I hope that this helps.

-Nathan F

cjunior · ‎27-Feb-2020

Hi,

Another possibility, you are trying to read other cookie structure information.

The scan format "%*[^\f]%*4x%2x%2x%2x%2xo%i" is related to a "IPv4 pool members in non-default route domains"

See: https://support.f5.com/csp/article/K6917

e.g.

BIGipServer<pool_name>=rd5o00000000000000000000ffffc0000201o80

set cookie rd5o00000000000000000000ffffc0000201o80
scan $cookie {%*[^\f]%*4x%2x%2x%2x%2xo%i} a b c d e
set IP $a.$b.$c.$d
set PORT $e

If you have an "IPv4 pool members" scenario, maybe this code:

BIGipServer<pool_name>=1677787402.36895.0000

set cookie 1677787402.36895.0000
scan $cookie {%10d.%5d.%4d} a b c
set hex [format "%4x%4x%02x" $a $b $c]
set IP [expr 0x[string range $hex 6 7]].[expr 0x[string range $hex 4 5]].[expr 0x[string range $hex 2 3]].[expr 0x[string range $hex 0 1]]
set PORT [expr 0x[string range $hex 10 11][string range $hex 8 9]]

I hope it helps

Regards.

DevCentral

Help with scan and cookie