Forum Discussion

Victor_Soares's avatar
Victor_Soares
Icon for Nimbostratus rankNimbostratus
Apr 29, 2021

Creating an iRule to send/extract the payload of HTTP request to remote server

Hi Guys!, recently my CTO asked me if there's possible to extract the payload of the HTTP request on the local log (big-ip) to send this information to our remote servers. Today, we can't extract this information to send it to our customers, and i we can't see something equal "payload" or "body" of the HTTP request, there is a way to make it possible using an iRule ? When we receive this request, they extract only the payload (or the complete request with the payload) and send it to our remote servers ?

 

Best Regards.

ASM Advanced WAF
iRules
security

10 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Apr 30, 2021

    Hi Victor,

     

    it is possible, you can use this iRule as a basis to start from and modify it to your needs:

    Log large HTTP payloads in chunks locally and remotely

    From a performance perspective it is OK, since it uses HSL for remote logging. Beware to set the limit for the collected payload to 32 MB, if you try to log anything larger than 32 MB your TMM will crash.

    But maybe if you explain the use case, there is a better solution than doing this with iRules and also maybe there is a better way than doing this on the BIG-IP.

     

    KR

    Daniel

     

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for MVP rankMVP
      Apr 30, 2021

       ,

       

      While you do this, do make sure you are not exposing sensitive confidential information's in the logs or on the remote servers. So depending on the criticality of the application, handle this.

       

      Else you'll end up creating a security issue.

      • Victor_Soares's avatar
        Victor_Soares
        Icon for Nimbostratus rankNimbostratus
        Apr 30, 2021

        Dear Jaikumar, for now, we're only testing on our own homolog website, for understand what type of information we'll receive and mask all of future sensitive confidential informations. Thank you so much for this information.

    • Victor_Soares's avatar
      Victor_Soares
      Icon for Nimbostratus rankNimbostratus
      Apr 30, 2021

      Hello Daniel!

       

      Firs of all, thank you so much for your information!

       

      Let me explain a little bit more.

       

      Today, we have 2 remote servers with booth of them are receiving the logs of our F5 Appliances. We are working to future desable the local logs of our appliances for only make troubleshooting with our 2 remote servers that are receiving this logs internal only. The problem is, we're sending to every alert/block the "query_string" field, but in some cases, the field "query_string" don't show anything, the field are there, but without any information, we detected that some type of signatures like XSS and SQL do not send this values of the exacly query string that match with the attack signature, but if we see it in our local log in F5 we can see the string that matches with the Attack Signature.

       

      Best Regards,

       

      Victor.

       

       

      • gersbah's avatar
        gersbah
        Icon for Cirrostratus rankCirrostratus
        Apr 30, 2021

        Maybe I misunderstood your question, but you can select the "request" field in your log profile to log the entire HTTP request (headers + body).

        Of course for big requests this will still be limited by the max entry length you also configure in the log profile, but maybe the 64k or whatever the max length for standard log profiles is, is already enough for your use case.

        If you do use this, make sure it's the last field in your log format. That way if a request does exceed the limit, you don't lose any other log fields.