For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Arkashik_6155's avatar
Arkashik_6155
Icon for Nimbostratus rankNimbostratus
Jan 04, 2013

iRule to log POP3/IMAP user

Hello everyone,   Since i'm new with iRules, could you please advice me how to log username/user's email address from POP3 and IMAP sessions.   The goal is to move users to go through POP3/IMAP...
application delivery
dev
devops
iRules
Arkashik_6155's avatar
Arkashik_6155
Icon for Nimbostratus rankNimbostratus
Jan 04, 2013
Posted By What Lies Beneath on 01/04/2013 05:44 AM

OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections;

 when CLIENT_ACCEPTED { if {[TCP::local_port] == 143 } { Collect 300 bytes of data if client is using unencrypted IMAP TCP::collect 300 } } when CLIENT_DATA { if {[TCP::local_port] == 143 } { Only do the following if client is using unencrypted IMAP and presumably data has been collected if { [TCP::payload 300] contains "login" } { Look for text 'login', skip forward 1 character and match up to the next space set imapusername [findstr [TCP::payload 300] "login" "1" " "] log local0. "Unecrypted IMAP connection established by $imapusername" Release and flush collected data TCP::release Stop processing the iRule for this event here return } } }

Thanks a lot, will give a try with this one.

Posted By Mohamed Lrhazi on 01/04/2013 05:43 AM

I think it would be simpler to look in the server software side for a solution to this, or is that just not possible for you?

Hello Mohamed, this solution is also under review.