Nimbostratus
Also, searching on "xml version" could return results for other POSTS that are uploading XML content. If you want to search specifically for SOAP messages, you should use part of standard SOAP requests. Here's the POST data for the iControl System::get_system_id() method.
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
xmlns:namesp1="urn:iControl:System/SystemInfo" />
Now, keep in mind that you need to be careful what identifiers you pick from here as some are dependent on the encoding method of the SOAP call (in this case rpc/enc - doc/lit is another popular option). Also, namespace prefixes can be anything that the client toolkit decides they should be. So, for example, searching for "
If it were me writing this rule, I'd shy away from the CLIENT_DATA approach as you do not have a guarantee as to the content-lenght or the beginning of the POST data. I would go the HTTP_REQUEST route with something like the following:
when HTTP_REQUEST {
HTTP::collect [HTTP::header Content-Length]
}
when HTTP_REQUEST_DATA {
if { [HTTP::payload] contains "http://schemas.xmlsoap.org/soap/envelope/" } {
log "SOAP Request"
return from this event and allow request through
return
} else {
log "Non-SOAP Request"
HTTP::header remove "If-Modified-Since"
HTTP::header remove "If-None-Match"
if { [HTTP::cookie exists oatmeal_cookie] != 1 } {
redirect client to new url and return from event.
HTTP::redirect "http://www.somewhere.com/"
return
}
}
}
-Joe