Forum Discussion

jonathan_239725's avatar
jonathan_239725
Icon for Nimbostratus rankNimbostratus
Nov 23, 2016

Stream expression for TCP payload

So I have been trying to find the most efficient way to detect string patterns within HTTP payloads. I have found out the best way to tackle this (from what I know so far) is to use a stream profile within a HTTP_RESPONSE event and specify a reg expression. So for my test, I wanted to capture alpha numeric string between 13-16 characters long. I was specifically looking for the value AAAFFFggg12345 and was successful. I did return other values but thats beside the point I'm getting to. This is how I approached it a stream profile within a HTTP_RESPONSE event.

when HTTP_REQUEST {

STREAM::disable

 if { [HTTP::header value "Host"] equals "winweb1.clearshark.net"} {

        set host [HTTP::header value "Host"]
        HTTP::header remove "Accept-Encoding"

    }

}

when HTTP_RESPONSE {

if {[info exists host]} {

    if {$host equals "winweb1.clearshark.net"} {

        STREAM::expression {@[a-zA-Z0-9]{13,16}@}
        STREAM::enable


    }

} }

when STREAM_MATCHED {

log local0. "Stream matched [STREAM::match]"

}

Now...

I want to do the same exact thing, but not within an HTTP_RESPONSE event. Essentially I want to just look within a TCP payload and find the same string. I have tried the following but have had no success.

when CLIENT_ACCEPTED {

STREAM::disable

}

when SERVER_CONNECTED {

TCP::collect

if {[IP::client_addr] equals "172.16.211.103"} {

    log local0. "Stream enabled"
    STREAM::expression {@[a-zA-Z0-9]{13,16}@}
    STREAM::enable

}

}

when STREAM_MATCHED {

log local0. "[IP::client_addr]:[TCP::local_port] : Matched : [STREAM::match]"

}

I am not seeing the string value AAAFFFggg12345 in my logs like I did when triggering within a HTTP_RESPONSE event.

I know this seems like a quirky use case but this is simply for a proof of concept for a client. If I can successfully make this happen, I'll branch off to other tests. But I need to make sure this works first before I move forward.

I appreciate any and all help!

  • Still having the same issue. I'm wondering if I can't detect the string pattern because HTTP compression is enabled. I disable it when I do it with an HTTP event. Any and all wisdom is appreciated! Thanks!

     

  • Certainly if HTTP compression is enabled, you will not be able to detect a string that is part of the HTTP payload unless you decompress first. (Same if it is SSL encrypted - you have to terminate SSL first.)