Posted By What Lies Beneath on 01/04/2013 05:44 AM
OK, here's an improvement using findstr to pull out just the username and restricting data collection to port 143 connections;
when CLIENT_ACCEPTED { if {[TCP::local_port] == 143 } { Collect 300 bytes of data if client is using unencrypted IMAP TCP::collect 300 } } when CLIENT_DATA { if {[TCP::local_port] == 143 } { Only do the following if client is using unencrypted IMAP and presumably data has been collected if { [TCP::payload 300] contains "login" } { Look for text 'login', skip forward 1 character and match up to the next space set imapusername [findstr [TCP::payload 300] "login" "1" " "] log local0. "Unecrypted IMAP connection established by $imapusername" Release and flush collected data TCP::release Stop processing the iRule for this event here return } } }
Thanks a lot, will give a try with this one.
Posted By Mohamed Lrhazi on 01/04/2013 05:43 AM
I think it would be simpler to look in the server software side for a solution to this, or is that just not possible for you?
Hello Mohamed, this solution is also under review.