when RULE_INIT {
set static::hexkey "xxxxxxxxxxxxxxxxx"
log local0.info"====Rule_Init===="
log local0.info "Key is $static::hexkey"
log local0.info"================="
}
when HTTP_REQUEST {
HTTP::header remove "Accept-Encoding"
if { [HTTP::version] eq "1.1" } {
if { [HTTP::header is_keepalive] } {
HTTP::header replace "Connection" "Keep-Alive"
}
HTTP::version "1.0"
}
if {[HTTP::method] != "OPTIONS"}{
if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{
if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
Trigger collection for up to 1MB of data
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else {
set content_length 1048576
}
Check if $content_length is not set to 0
if { $content_length > 0} {
HTTP::collect $content_length
}
}
}
}
}
when HTTP_REQUEST_DATA {
if {[HTTP::method] != "OPTIONS"}{
if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{
if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
log local0.info [HTTP::uri]
set iv "xxxxxxxxxx"
set paiload [HTTP::payload]
log local0.info "payload: $paiload"
set payload_without_json [string map {\{ {} \} {} \[ {} \] {} \" {} set {} value {} \: {}} $paiload]
log local0.info "sin json: $payload_without_json"
set text_to_decrypt [b64decode $payload_without_json]
log local0.info "dato encriptado: $text_to_decrypt"
set dec_out_no_binary [CRYPTO::decrypt -alg aes-128-cbc -keyhex $static::hexkey -ivhex $iv $text_to_decrypt]
binary scan $dec_out_no_binary H* enc_hex
log local0.info "dato desencriptado: $dec_out_no_binary"
HTTP::payload replace 0 [HTTP::payload length] $dec_out_no_binary
HTTP::release
}
}
}
}
Nimbostratus