OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections;
when CLIENT_ACCEPTED {
if {[TCP::local_port] == 143 } {
Collect 300 bytes of data if client is using unencrypted IMAP
TCP::collect 300
}
}
when CLIENT_DATA {
if {[TCP::local_port] == 143 } {
Only do the following if client is using unencrypted IMAP and presumably data has been collected
if { [TCP::payload 300] contains "login" } {
Look for text 'login', skip forward 1 character and match up to the next space
set imapusername [findstr [TCP::payload 300] "login" "1" " "]
log local0. "Unecrypted IMAP connection established by $imapusername"
Release and flush collected data
TCP::release
Stop processing the iRule for this event here
return
}
}
}