Credentialed Scanning - F5OS - Rseries
After solving the remote authentication issue previously with F5OS. My next question is related to credentialed scanning on R series appliances running F5OS. The tenable agent logs in via SSH and tries to run commands in the shell to pull system information. This has never been on issues on the iseries appliances and BIG-IP guests as they allow uses directly to the shell upon login. All linux commands run as intended. F5OS is a new beast for me to understand as it dumps you into its own OS. The shell is protected and only root at the local level is allowed access to the linux shell. This is the issue I face with credentialed scanning. Authentication works perfectly fine but the ability to run the proper commands at the appropriate level seems to be locked and it doesn't appear I can grant shell access to remote accounts. Anyone have any experience running authenticated scans on their rseries appliances with f50S?
iRule Help - Capture URI, Modify, and Redirect
I have two sets of incoming URLs I need to pick apart and redirect based on their content. Both with the same formatting. https://my.site.org/A/B/find-a-thing1/garbage https://my.site.org/A/B/find-a-thing1/thing1detail/actualthing1/garbage https://my.site.org/A/B/find-a-thing2/garbage/moregarbage/additionalgarbage https://my.site.org/A/B/find-a-thing2/thing2detail/actualthing2/garbage "garbage" always starts with "!ut", but could have literally anything after that including additional "/" and more content. Regardless none of it is needed. find-a-thing1 and find-a-thing2 as well as thing1detail and thing2detail will not change in their respective paths. actualthing1 and actualthing2 will not have any consistent behavior, specific text to key off of, or common length. I need to extract their values from the URI and use them in the redirect. I'm thinking using scan may be what I need to do, but I don't have the experience to know how to write that from scratch. I don't really understand the scan function, just read from another post and modified. I need to now validate the part where I am extracting the information from the URI. I took at stab at it, but I think I need some assistance. when HTTP_REQUEST { set URI [string tolower [HTTP::uri]] if { $URI contains "find-a-thing1" and $URI contains "thing1detail"} set actualthing1value [scan $URI {/thing1detail/%[^/]/%[^.]/!ut}] HTTP::redirect https://new.http.host/things1/$actualthing1value if { $URI contains "find-a-thing1"} HTTP::redirect https://new.http.host/things1 if { $URI contains "find-a-thing2" and $URI contains "thing2detail"} set actualthing2value [scan $URI {/thing2detail/%[^/]/%[^.]/!ut}] HTTP::redirect https://new.http.host/things2/$actualthing2value if { $URI contains "find-a-thing2"} HTTP::redirect https://new.http.host/things2 }
Irule Path change after string
Hi Experts, Need suggestions on below query. We are trying to setup a redirect rule after string the path needs to change. What ever path type after testcloud or testcloud.test.com it should come after https://eklm.fa.us2.testcloud.com/ Example: Actual request: http://testcloud/myrequest or etc should come as HTTP::redirect https://myapps.microsoft.com/signin/test%20Fusion/da3ab29d-c42c-4682-87c1-165d7fc91029?tenantId=ff86d154-e37b-4fd7-a32d-64241a95e211&RelayState=https://eklm.fa.us2.testcloud.com/myrequest or etc The current Irule is: when HTTP_REQUEST { #Scan the hostname and issue redirect to correct pool or node based on request if {( [TCP::local_port] == 80 ) and ([string tolower [HTTP::host]] ne "testcloud")}{ HTTP::respond 301 location "https://[getfield [HTTP::host] ":" 1][HTTP::uri]" return } switch -glob [string tolower [HTTP::host]] { "testcloud.test.com" - "testcloud" { HTTP::redirect https://myapps.microsoft.com/signin/test%20Fusion/da3ab29d-c42c-4682-87c1-165d7fc91029?tenantId=ff86d154-e37b-4fd7-a32d-64241a95e211&RelayState=https://eklm.fa.us2.testcloud.com/ return } default { reject #SSL::disable serverside }
Extract headers from TCP payload
Hi, I have VS without http profile, but it can process http traffic. When using TCP::collect I am getting something like that in TCP::payload "GET /?ip=10.20.10.2 HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; vWorkspace) Accept-Encoding: gzip, deflate Host: wpad.test.com Connection: Keep-Alive " - don't know why no \r\n here? findstr $str "Host: " 6 - do not terminate on end of line, so it returns "wpad.test.com Connection: Keep-Alive " - obviously because how TCP::payload is presented as a string. What could be used to reliably extract only host from Host header? To retrieve method and URI scan [TCP::payload] {%[^ /]%s} method uri seems to be working ok Now the question is if findstr and scan methods are correct here, or it could be implemented more elegant/efficient? Piotr
Extract headers from TCP payload
Hi, I have VS without http profile, but it can process http traffic. When using TCP::collect I am getting something like that in TCP::payload "GET /?ip=10.20.10.2 HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; vWorkspace) Accept-Encoding: gzip, deflate Host: wpad.test.com Connection: Keep-Alive " - don't know why no \r\n here? findstr $str "Host: " 6 - do not terminate on end of line, so it returns "wpad.test.com Connection: Keep-Alive " - obviously because how TCP::payload is presented as a string. What could be used to reliably extract only host from Host header? To retrieve method and URI scan [TCP::payload] {%[^ /]%s} method uri seems to be working ok Now the question is if findstr and scan methods are correct here, or it could be implemented more elegant/efficient? Piotr