Thanks for the reply, below is the code, I will have to get back to you on the others. I am encrypting the username/password from the server and decrypting on the way back from the client. I have it limited to my IP for now as I do not want to interrupt others. It is the Client communication(POST) that I am not seeing, although it looks as if it is in the same TCP connection.
when RULE_INIT {
SET THE ENCRYPTION KEY
set ::key [AES::key 128]
}
when HTTP_REQUEST {
LIMIT TO A TEST PC's IP
if { ([IP::client_addr] equals "x.x.x.x") } {
COLLECT THE CONTENT
switch [HTTP::method] {
"GET" {
log local0. "GET Request"
}
"POST" {
log local0. "POST Request"
if { [HTTP::header Content-Type] eq "application/x-www-form-urlencoded" } {
HTTP::collect [HTTP::header Content-Length]
}
}
}
}
}
when HTTP_REQUEST_DATA {
TESTING
set namevals [split [HTTP::payload] "&"]
for {set i 0} {$i < [llength $namevals]} {incr i} {
set params [split [lindex $namevals $i] "="]
log local0. " [lindex $params 0] : [lindex $params 1]"
}
}
when HTTP_RESPONSE {
WHEN SERVER SENDS PASSWORD, START COLLECTING
if { [IP::client_addr] equals "x.x.x.x" } {
if { [HTTP::header "Content-Length"] == 733 } {
HTTP::collect [HTTP::header Content-Length]
}
}
}
when HTTP_RESPONSE_DATA {
EXTRACT USERNAME AND PASSWORD
set user [findstr [HTTP::payload] "j_username\" value=\"" 19 "\""]
set pass [findstr [HTTP::payload] "j_password\" value=\"" 19 "\""]
ENCRYPT THE USERNAME AND PASSWORD
set encrypted_user [b64encode [AES::encrypt $::key $user]]
set encrypted_pass [b64encode [AES::encrypt $::key $pass]]
DETERMINE THE LOCATION AND LENGTH OF THE USERNAME
set user_begin [string first "j_username" [HTTP::payload] 0]
set user_begin [incr user_begin 19]
set user_end [string first "\"" [HTTP::payload] $user_begin]
set user_end [incr user_end -1]
set user_len [string length [string range [HTTP::payload] $user_begin $user_end]]
REPLACE THE USERNAME
HTTP::payload replace $user_begin $user_len $encrypted_user
DETERMINE THE LOCATION AND LENGTH OF THE PASSWORD
set encrypt_user_len [string length $encrypted_user]
set encrypt_user_end [incr user_begin $encrypt_user_len]
set pass_begin [string first "j_password" [HTTP::payload] $encrypt_user_end]
set pass_begin [incr pass_begin 19]
set pass_end [string first "\"" [HTTP::payload] $pass_begin]
set pass_end [incr pass_end -1]
set pass_len [string length [string range [HTTP::payload] $pass_begin $pass_end]]
REPLACE THE PASSWORD
HTTP::payload replace $pass_begin $pass_len $encrypted_pass
HTTP::release
}