Hi Garry,
Here is an untested example. Try the first one with logging and if it works, then try the second one.
when HTTP_REQUEST {
Check if request is a POST
if {[HTTP::method] eq "POST"}{
Trigger collection for up to 1MB of data
if {([HTTP::header exists "Content-Length"]) && ([HTTP::header "Content-Length"] <= 1000000)}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1000000
}
if { [info exists content_length] } {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
String option to replace https://10.104.30.55 with http://10.104.30.55 in the payload
set payload_new [string map "https://10.104.30.55 http://10.104.30.55" [HTTP::payload]]
Regex option
regsub -all "https://10.104.30.55" [HTTP::payload] "http://10.104.30.55" payload_new
log "[IP::client_addr]:[TCP::client_port]: Replacing payload with new data $payload_new"
Replace the old payload with the updated one
HTTP::payload replace 0 [HTTP::payload length] $payload_new
}
Or with fewer intermediate variables:
when HTTP_REQUEST {
Check if request is a POST
if {[HTTP::method] eq "POST"}{
Trigger collection for up to 1MB of data
if {([HTTP::header exists "Content-Length"]) && ([HTTP::header "Content-Length"] <= 1000000)}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1000000
}
if { [info exists content_length] } {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
Replace https://... with http://... in the payload
HTTP::payload replace 0 [HTTP::payload length] [string map -nocase "https://10.104.30.55 http://10.104.30.55" [HTTP::payload]]
}
Aaron