Forum Discussion

Arkashik_6155's avatar
Arkashik_6155
Icon for Nimbostratus rankNimbostratus
Jan 04, 2013

iRule to log POP3/IMAP user

Hello everyone,   Since i'm new with iRules, could you please advice me how to log username/user's email address from POP3 and IMAP sessions.   The goal is to move users to go through POP3/IMAP...
application delivery
dev
devops
iRules
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
Jan 04, 2013
OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections; 


when CLIENT_ACCEPTED {
 if {[TCP::local_port] == 143 } {
  Collect 300 bytes of data if client is using unencrypted IMAP
  TCP::collect 300
 }
}

when CLIENT_DATA {
 if {[TCP::local_port] == 143 } {
 Only do the following if client is using unencrypted IMAP and presumably data has been collected
  if { [TCP::payload 300] contains "login" } {
   Look for text 'login', skip forward 1 character and match up to the next space
   set imapusername [findstr [TCP::payload 300] "login" "1" " "]
   log local0. "Unecrypted IMAP connection established by $imapusername"
   Release and flush collected data
   TCP::release
   Stop processing the iRule for this event here
   return
  }
 }
}