Universal or Hash Persistence for Windows Terminal Services Gateway Traffic

when CLIENT_ACCEPTED { 
TCP::collect 
} 
when CLIENT_DATA { 
TCP::collect 25 
binary scan [TCP::payload] x11a* msrdp 
if { [string equal -nocase -length 12 $msrdp "cookie: msts"] } { 
set msrdp [string range $msrdp 12 end] 
set len [string first "\n" $msrdp] 
if { $len == -1 } { 
 Didnt get whole cookie collect more 
TCP::collect 
return 
} 
if { $msrdp starts_with "hash=" } { 
 No session directory - username used instead 
if { $len > 5 } { 
incr len -1 
set record [string tolower [string range $msrdp 5 $len] ]
log "adding persistence record - $record" 
persist uie $record 1801  adjust your timeout (in seconds)
} else { 
log "No username - not persisting" 
} 
} 
} else { 
log "Cookie not found" 
} 
TCP::release 
}

when CLIENT_ACCEPTED { 
TCP::collect 
} 
when CLIENT_DATA { 

TCP::collect 25 

binary scan [TCP::payload] x11a* msrdp 
log local0. "Contents after binary scan: $msrdp" 

if { [string equal -nocase -length 17 $msrdp "cookie: mstshash="] } { 

set msrdp [string range $msrdp 17 end] 
set len [string first "\n" $msrdp] 
if { $len == -1 } { 
TCP::collect 
return 
} 
if { $msrdp contains "@" } { 
log local0. "Setting data to: [getfield $msrdp "@" 1]" 
set username [getfield $msrdp "@" 1] 
} elseif { $msrdp contains "\\" } { 
log local0. "Setting data to: [getfield $msrdp "\\" 3]" 
set username [getfield $msrdp "\\" 3] 
} else { 
set username $msrdp 
log local0. "Setting data to: $msrdp" 
} 
set finalusername [string tolower $username] 
set finalusername [string trim $finalusername] 
log local0. "User Being Persisted is: |$finalusername|" 
persist uie $finalusername 10800 
} 
TCP::release 
}