Forum Discussion
JRahm
Jun 26, 2008Admin
Yes, it will be uie persistence instead of msrdp persistence, but that shouldn't matter. To persist for 3 hours, change the rule to this:
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
TCP::collect 25
binary scan [TCP::payload] x11a* msrdp
log local0. "Contents after binary scan: $msrdp"
if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } {
set msrdp [string range $msrdp 17 end]
set len [string first "\n" $msrdp]
if { $len == -1 } {
TCP::collect
return
}
if { $msrdp contains "@" } {
if { $len > 5 } {
incr len -1
log local0. "Data Persisting on: [getfield $msrdp "@" 1]"
persist uie [getfield $msrdp "@" 1] 10800
}
} else { persist uie $msrdp 10800 }
}
TCP::release
}