Nimbostratus
Cirrostratus
Here's an example Nitass and I worked on recently in relation to POP3 and IMAP connections and usernames. It just logs but obviously we can do anything required.
when CLIENT_ACCEPTED {
if { ([TCP::local_port] == 143) or ([TCP::local_port] == 110) } {
Collect data if client is using unencrypted IMAP or POP3
TCP::collect 0 0
}
}
when CLIENT_DATA {
if { [TCP::local_port] == 143 } {
Only do the following if client is using unencrypted IMAP and presumably
data has been collected
if { [TCP::payload] contains "login" } {
scan [TCP::payload] {%*s login %s} imapusername
log local0. "Unencrypted IMAP connection established by $imapusername"
Release and flush collected data
TCP::release
Stop processing the iRule for this event here
return
}
}
elseif { [TCP::local_port] == 110 } {
Only do the following if client is using unencrypted POP3 and presumably data has been collected
if { [TCP::payload] contains "USER" } {
Look for text 'USER', skip forward 1 character and match up to the end
of the line
set pop3username [findstr [TCP::payload] "USER" "1"]
log local0. "Unencrypted POP3 connection established by $pop3username"
Release and flush collected data
TCP::release
Stop processing the iRule for this event here
return
}
}
Release the data collected (if not match above)
TCP::release
Collect data for subsequent packets
TCP::collect
}