Detect regexp pattern in tcp payload
I was hoping someone could help me out on the proper syntax and approach to using either matches_regex or regexp to match a string pattern in a tcp payload. Basically I am trying to detect if within a payload there is a string comprised of 8-16 characters that can be either upper lower case or numeric, no spaces or returns. I have tried the following but have had no success: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { set payload [TCP::payload] if { [regexp {[a-zA-Z0-9] {8,16}} $payload] } { log local0. "Got a match!" } } My regex isn't strong so I don't know if that's where I'm messing up or if my syntax/approach to this iRule is wrong. I haven't found the matches_regex or regexp documentation to be all too helpful so hoping the dev community can help out!Stream expression for TCP payload
So I have been trying to find the most efficient way to detect string patterns within HTTP payloads. I have found out the best way to tackle this (from what I know so far) is to use a stream profile within a HTTP_RESPONSE event and specify a reg expression. So for my test, I wanted to capture alpha numeric string between 13-16 characters long. I was specifically looking for the value AAAFFFggg12345 and was successful. I did return other values but thats beside the point I'm getting to. This is how I approached it a stream profile within a HTTP_RESPONSE event. when HTTP_REQUEST { STREAM::disable if { [HTTP::header value "Host"] equals "winweb1.clearshark.net"} { set host [HTTP::header value "Host"] HTTP::header remove "Accept-Encoding" } } when HTTP_RESPONSE { if {[info exists host]} { if {$host equals "winweb1.clearshark.net"} { STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } } when STREAM_MATCHED { log local0. "Stream matched [STREAM::match]" } Now... I want to do the same exact thing, but not within an HTTP_RESPONSE event. Essentially I want to just look within a TCP payload and find the same string. I have tried the following but have had no success. when CLIENT_ACCEPTED { STREAM::disable } when SERVER_CONNECTED { TCP::collect if {[IP::client_addr] equals "172.16.211.103"} { log local0. "Stream enabled" STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } when STREAM_MATCHED { log local0. "[IP::client_addr]:[TCP::local_port] : Matched : [STREAM::match]" } I am not seeing the string value AAAFFFggg12345 in my logs like I did when triggering within a HTTP_RESPONSE event. I know this seems like a quirky use case but this is simply for a proof of concept for a client. If I can successfully make this happen, I'll branch off to other tests. But I need to make sure this works first before I move forward. I appreciate any and all help!
Extract headers from TCP payload
Hi, I have VS without http profile, but it can process http traffic. When using TCP::collect I am getting something like that in TCP::payload "GET /?ip=10.20.10.2 HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; vWorkspace) Accept-Encoding: gzip, deflate Host: wpad.test.com Connection: Keep-Alive " - don't know why no \r\n here? findstr $str "Host: " 6 - do not terminate on end of line, so it returns "wpad.test.com Connection: Keep-Alive " - obviously because how TCP::payload is presented as a string. What could be used to reliably extract only host from Host header? To retrieve method and URI scan [TCP::payload] {%[^ /]%s} method uri seems to be working ok Now the question is if findstr and scan methods are correct here, or it could be implemented more elegant/efficient? Piotr
Extract headers from TCP payload
Hi, I have VS without http profile, but it can process http traffic. When using TCP::collect I am getting something like that in TCP::payload "GET /?ip=10.20.10.2 HTTP/1.1 Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, / Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; vWorkspace) Accept-Encoding: gzip, deflate Host: wpad.test.com Connection: Keep-Alive " - don't know why no \r\n here? findstr $str "Host: " 6 - do not terminate on end of line, so it returns "wpad.test.com Connection: Keep-Alive " - obviously because how TCP::payload is presented as a string. What could be used to reliably extract only host from Host header? To retrieve method and URI scan [TCP::payload] {%[^ /]%s} method uri seems to be working ok Now the question is if findstr and scan methods are correct here, or it could be implemented more elegant/efficient? Piotr