Forum Discussion
What_Lies_Bene1
Jan 15, 2013Cirrostratus
It depends is probably the best answer at this stage. In the first instance you should capture some packets of an RDP connection and see where the FQDN appears. Then you can collect data when a client initially connects, search for the relevant detail and route traffic accordingly.
Here's an example Nitass and I worked on recently in relation to POP3 and IMAP connections and usernames. It just logs but obviously we can do anything required.
when CLIENT_ACCEPTED {
if { ([TCP::local_port] == 143) or ([TCP::local_port] == 110) } {
Collect data if client is using unencrypted IMAP or POP3
TCP::collect 0 0
}
}
when CLIENT_DATA {
if { [TCP::local_port] == 143 } {
Only do the following if client is using unencrypted IMAP and presumably
data has been collected
if { [TCP::payload] contains "login" } {
scan [TCP::payload] {%*s login %s} imapusername
log local0. "Unencrypted IMAP connection established by $imapusername"
Release and flush collected data
TCP::release
Stop processing the iRule for this event here
return
}
}
elseif { [TCP::local_port] == 110 } {
Only do the following if client is using unencrypted POP3 and presumably data has been collected
if { [TCP::payload] contains "USER" } {
Look for text 'USER', skip forward 1 character and match up to the end
of the line
set pop3username [findstr [TCP::payload] "USER" "1"]
log local0. "Unencrypted POP3 connection established by $pop3username"
Release and flush collected data
TCP::release
Stop processing the iRule for this event here
return
}
}
Release the data collected (if not match above)
TCP::release
Collect data for subsequent packets
TCP::collect
}