cancel
Showing results for 
Search instead for 
Did you mean: 

STREAM::expression matches on single char only

EB-Peter
Nimbostratus
Nimbostratus

STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@} never matches on the string "AUSEFPPKI03". If I substitute it with just an "A" (or any other character in the string), it does match but obviously doesn't give me the outcome I require. I've used this function before without issue.

 

I've simplified the fqdn down to ZZ.ZZ for privacy. The �� make me wonder if there's some wonky encoding going on. Any ideas?

 

 

STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@} :

> GET /certsrv/mscep/ HTTP/1.1 > Host: ZZ.ZZ > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html < Date: Tue, 20 Apr 2021 04:07:00 GMT < P3P: CP="{}" < Set-Cookie: TS90040b9b029=08b6df318aab28008d0777f97de08a8efa35a947e8622df6f571beb28129c9a727b559de4535fe5847692d9195a4b584; Max-Age=30; Path=/ < Transfer-Encoding: chunked < ��<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="Arial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="Arial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> This URL is used by network devices to submit certificate requests. <P> To obtain an enrollment challenge password, go to the admin URL. By default, the admin URL is <A HREF=http://AUSEFPPKI03/CertSrv/mscep_admin>http://AUSEFPPKI03/CertSrv/mscep_admin</A> </P> <P ID=locPageDesc> For more information see  <A HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </A>. </P></Font></Body></HTML>

 

 

STREAM::expression {@A@ZZ.ZZ@} :

> GET /certsrv/mscep/ HTTP/1.1 > Host: ZZ.ZZ > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html < Date: Tue, 20 Apr 2021 04:02:54 GMT < P3P: CP="{}" < Set-Cookie: TS90040b9b029=08b6df318aab2800bb24e7e9806d83fd6d72879a87a1fb24c4f1d3d4e8a86f0355194b1ba9ba3be02d17267fa7cbf7ae; Max-Age=30; Path=/ < Transfer-Encoding: chunked < ��<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="ZZ.ZZrial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="ZZ.ZZrial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> This URL is used by network devices to submit certificate requests. <P> To obtain an enrollment challenge password, go to the admin URL. By default, the admin URL is <ZZ.ZZ HREF=http://ZZ.ZZUSEFPPKI03/CertSrv/mscep_admin>http://ZZ.ZZUSEFPPKI03/CertSrv/mscep_admin</ZZ.ZZ> </P> <P ID=locPageDesc> For more information see  <ZZ.ZZ HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </ZZ.ZZ>. </P></Font></Body></HTML>

 

 

My iRule: (i added some superfluous logging to help me see when/where it was matching)

when HTTP_RESPONSE { log local0. "when"     if {[HTTP::header value Content-Type] contains "text"}{ log local0. "if"         STREAM::expression {@AUSEFPPKI03@ZZ.ZZ@}         STREAM::enable     } } when HTTP_REQUEST {     STREAM::disable     HTTP::header remove "Accept-Encoding" } when STREAM_MATCHED {   log local0.info "[IP::client_addr]_[TCP::local_port]: matched [STREAM::match]" }
6 REPLIES 6

SanjayP
MVP
MVP

Interesting. You may already be aware of the fact that stream expression is case sensitive.

​is response chunking set to selective in http profile? If not, can you assign custom http profile with "selective" response chunking and see if that makes any difference?

EB-Peter
Nimbostratus
Nimbostratus

Hi Sanjay,

Thanks for replying! I'm on 16.0.1 and the only options available are Unchunk, Rechunk, Sustain. There's no selective option. I tried all three anyway and they did not help my problem.

It's not a case problem either.

😟

What does the logging says? Does it even find the string?

 

Would it be possible to try below iRule to see if this makes any difference just for testing?

 

when RULE_INIT { set static::stream_response_body { "AUSEFPPKI03====ZZ.ZZ" "ausefppki03====ZZ.ZZ"   } }   when HTTP_REQUEST { STREAM::disable HTTP::header remove "Accept-Encoding" }     when HTTP_RESPONSE { if {[llength $static::stream_response_body] > 0} { set expression "" foreach stream_request_rewriteRecord $static::stream_response_body { set stream_request_find [getfield $stream_request_rewriteRecord "====" 1] set stream_request_replace [getfield $stream_request_rewriteRecord "====" 2] if {$stream_request_replace == "nothing"} { set stream_request_replace "" }   set expression "$expression@$stream_request_find@$stream_request_replace@" } if {[HTTP::header Content-Type] contains "text" } { if { [catch { STREAM::expression $expression STREAM::enable } result] } { #log local0. "fffffffffff $result" } } } }

 

My logging shows a match on any single char, but no match for two or more consecutive chars in the string.

 

Your iRule produces the same http response as if there was no match.

crodriguez
F5 Employee
F5 Employee

The encoding on the HTML data a would appear to be UTF-8, as specified in the first META tag that appears in the HTML stream.

<Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8">

The default translation mode on a STREAM expression is ascii (which means ISO-8859-1, including ascii). Try adding a STREAM::encoding utf-8 command to the iRule (before the STREAM::enable) to see if that makes a difference.

Where would you suggest I add that line? If I place it under 'HTTP_RESPONSE', i get the error:

 

 error: [command is not valid in current event context (HTTP_RESPONSE)][STREAM::encoding utf-8]