OK, and now with POP3;
when CLIENT_ACCEPTED {
if { ([TCP::local_port] == 143) or ([TCP::local_port] == 110) } {
Collect 300 bytes of data if client is using unencrypted IMAP or POP3
TCP::collect 300
}
}
when CLIENT_DATA {
if { [TCP::local_port] == 143 } {
Only do the following if client is using unencrypted IMAP and presumably data has been collected
if { [TCP::payload 300] contains "login" } {
Look for text 'login', skip forward 1 character and match up to the next space
set imapusername [findstr [TCP::payload 300] "login" "1" " "]
log local0. "Unecrypted IMAP connection established by $imapusername"
Release and flush collected data
TCP::release
Stop processing the iRule for this event here
return
}
}
elseif { [TCP::local_port] == 110 } {
Only do the following if client is using unencrypted POP3 and presumably data has been collected
if { [TCP::payload 300] contains "USER" } {
Look for text 'USER', skip forward 1 character and match up to the end of the line
set pop3username [findstr [TCP::payload 300] "USER" "1"]
log local0. "Unecrypted POP3 connection established by $pop3username"
Release and flush collected data
TCP::release
Stop processing the iRule for this event here
return
}
}
}