cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Help with scan and cookie

AlexDeMarco
Nimbostratus
Nimbostratus

I am trying to parse out the ip and port being used is a persistence cookie

 

the Cookie name BIGipServer~TESTPartition~TEST_Server_7001

I found the snippet of code below:

scan [HTTP::cookie $bigipcookie] {%*[^\f]%*4x%2x%2x%2x%2xo%i} a b c d e

set Ip $a.$b.$c.$d

set Port $e

 

But it does not work I believe the scan does not like the format and I can't change the cookie format.

Any ideas how to modify it?

2 REPLIES 2

Nathan_F__F5_
F5 Employee
F5 Employee

Hi Alex,

 

If the scan is saying that it doesn't like the IP and port being displayed in the cookie then you may just be able to enable cookie encryption. Please see the two articles below for more information.

 

K14784: Configuring cookie encryption within the HTTP profile (10.x - 15.x)

https://support.f5.com/csp/article/K14784

 

K23254150: Configuring cookie encryption for BIG-IP persistence cookies from the cookie persistence profile

https://support.f5.com/csp/article/K23254150

 

I hope that this helps.

 

-Nathan F

cjunior
Nacreous
Nacreous

Hi,

Another possibility, you are trying to read other cookie structure information.

The scan format "%*[^\f]%*4x%2x%2x%2x%2xo%i" is related to a "IPv4 pool members in non-default route domains"

See: https://support.f5.com/csp/article/K6917

 

e.g.

BIGipServer<pool_name>=rd5o00000000000000000000ffffc0000201o80

set cookie rd5o00000000000000000000ffffc0000201o80 scan $cookie {%*[^\f]%*4x%2x%2x%2x%2xo%i} a b c d e set IP $a.$b.$c.$d set PORT $e

 

If you have an "IPv4 pool members" scenario, maybe this code:

BIGipServer<pool_name>=1677787402.36895.0000

set cookie 1677787402.36895.0000 scan $cookie {%10d.%5d.%4d} a b c set hex [format "%4x%4x%02x" $a $b $c] set IP [expr 0x[string range $hex 6 7]].[expr 0x[string range $hex 4 5]].[expr 0x[string range $hex 2 3]].[expr 0x[string range $hex 0 1]] set PORT [expr 0x[string range $hex 10 11][string range $hex 8 9]]

I hope it helps

 

Regards.