Can you add a few log statements to the rule?
when CLIENT_ACCEPTED {
if { ([IP::client_addr] equals "x.x.x.x") } {
log local0. "client [IP::client_addr]:[TCP::client_port] connected"
}
}
when HTTP_REQUEST {
log local0. "client [IP::client_addr]:[TCP::client_port] -> [HTTP::method] -> [HTTP::host][HTTP::uri] (HTTP v[HTTP::version])"
Then within the POST case, before any additional logic, add a log entry to show the Content-Type and Content-Length header values:
log local0. "client [IP::client_addr]:[TCP::client_port] -> \
[HTTP::method] -> Content-Type: [HTTP::header value Content-Type], \
Content-Length: [HTTP::header value Content-Length], \
Transfer-Encoding: [HTTP::header value Transfer-Encoding]"
Aaron