Options

Collect different info from different Webmail clients

bkgraham33bkgraham33 Member
in aFleX
My goal is to log different information from Webmail clients than from ActiveSync clients. It seems the most obvious way to distinguish the two clients is from the HTTP::URI. So I've written the following script, which sadly has an error somewhere in it; line 19 according to the A10.

when HTTP_REQUEST {
if { [HTTP::method] == "POST" } {
HTTP::collect
}
}

when HTTP_REQUEST_DATA {
set whatif [HTTP::uri]
if {$whatif contains "activesync"} {

if { [HTTP::payload length] > 5 } {
set uri [HTTP::uri]
set c_ip [IP::client_addr]
set vip_ip [IP::local_addr]
log "IF=$uri, Client=$c_ip, VIP=$vip_ip,"
}
}
{
if { [HTTP::payload length] > 5 } {
set payload [HTTP::payload]
set client [HTTP::header User-Agent]
set index [expr [string first "username=" $payload] + [string length "username="]]
set index2 [expr [string first "password=" $payload]-2]
set username "[string range $payload $index $index2]"
set c_ip [IP::client_addr]
set vip_ip [IP::local_addr]
log "ELSE=$username, Client=$c_ip, VIP=$vip_ip, Client=$index3"
}
}
}

The error the A10 is spitting out is:
Warning: aFleX syntax error: line 18: "unknown command "
if { [HTTP::payload length] > 5 } {
set payload [...""

I think I've messed up on the syntax somewhere...

Any help is appreciated.

Ben
Tagged:

Comments

  • Options
    [Deleted User][Deleted User]
    edited February 2014
    Try the following:
    when HTTP_REQUEST { if { [HTTP::method] == "POST" } { HTTP::collect } } when HTTP_REQUEST_DATA { set whatif [HTTP::uri] if {($whatif contains "activesync") and ([HTTP::payload length] > 5 )} { set uri [HTTP::uri] set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log "IF=$uri, Client=$c_ip, VIP=$vip_ip," } elseif { [HTTP::payload length] > 5 } { set payload [HTTP::payload] set client [HTTP::header User-Agent] set index [expr [string first "username=" $payload] + [string length "username="]] set index2 [expr [string first "password=" $payload]-2] set username "[string range $payload $index $index2]" set c_ip [IP::client_addr] set vip_ip [IP::local_addr] log "ELSE=$username, Client=$c_ip, VIP=$vip_ip, Client=$index3" } }
  • Options
    bkgraham33bkgraham33 Member
    edited February 2014
    brunov, thanks for the response. I see what you did there and it makes perfect sense. However I still had something wrong with the script ($index3 was being called but was never set), which I've fixed. However I still have a problem.

    when HTTP_REQUEST {
    if { [HTTP::method] == "POST" } {
    HTTP::collect
    }
    }

    when HTTP_REQUEST_DATA {
    set whatif [HTTP::uri]
    if {($whatif contains "activesync") and ([HTTP::payload length] > 5 )} {
    set uri [HTTP::uri]
    set c_ip [IP::client_addr]
    set vip_ip [IP::local_addr]
    log "uri=$uri, Client=$c_ip, VIP=$vip_ip,"
    } elseif { [HTTP::payload length] > 5 } {
    set payload [HTTP::payload]
    set client [HTTP::header User-Agent]
    set index [expr [string first "username=" $payload] + [string length "username="]]
    set index2 [expr [string first "password=" $payload]-2]
    set username "[string range $payload $index $index2]"
    set c_ip [IP::client_addr]
    set vip_ip [IP::local_addr]
    log "User=$username, Client=$c_ip, VIP=$vip_ip"
    }
    }

    The ($whatif contains "activesync") section isn't being triggered when I sync my iPad. I addded the URI to the elseif section for a quick test, and sure enough it looks like the ($whatif contains "activesync") just isn't working.

    Here is what the URI looks like. uri=/Microsoft-Server-ActiveSync?User=bg raham&DeviceId=ApplDMPHK0TYDVGF&DeviceType=iPad&Cmd=Ping

    Do I need to do something different to the ($whatif contains "activesync") section to make this work? I'll keep playing around with it, but any feedback is helpful!

    Thanks!
  • Options
    bkgraham33bkgraham33 Member
    edited February 2014
    I just changed activesync to Microsoft-Server-ActiveSync and that seems to have fixed it. I don't know enough about programming or aflex to know if it makes sense that this change was needed. But it's working, so that's all I care about for now!

    Here is the script for now, in case it helps anyone else. I still have some editing to do as I still want to: a)pull the userid out of the URI for ActiveSync connections and b)it looks like certain mobile devices don't display the userid in the URI; if they do it's jumbled (uri=/Microsoft-Server-ActiveSync?eRIJBA45OTAwMDExOTc1NDYzMwR WkRHaEE1vdG9EUk9JRFJBWlI2NTE= as complared to uri=/Microsoft-Server-ActiveSync?User=bgraham&DeviceId=ApplD MPHK0TYDVGF&DeviceType=iPad&Cmd=Ping)

    when HTTP_REQUEST {
    if { [HTTP::method] == "POST" } {
    HTTP::collect
    }
    }

    when HTTP_REQUEST_DATA {
    set whatif [HTTP::uri]
    if {($whatif contains "activesync") and ([HTTP::payload length] > 5 )} {
    set uri [HTTP::uri]
    set c_ip [IP::client_addr]
    set vip_ip [IP::local_addr]
    log "uri=$uri, Client=$c_ip, VIP=$vip_ip,"
    } elseif { [HTTP::payload length] > 5 } {
    set payload [HTTP::payload]
    set client [HTTP::header User-Agent]
    set index [expr [string first "username=" $payload] + [string length "username="]]
    set index2 [expr [string first "password=" $payload]-2]
    set username "[string range $payload $index $index2]"
    set c_ip [IP::client_addr]
    set vip_ip [IP::local_addr]
    log "User=$username, Client=$c_ip, VIP=$vip_ip"
    }
    }
  • Options
    [Deleted User][Deleted User]
    edited February 2014
    The comparison is case sensitive. You can solve this by using the correct case as you did, or just set the variable to be all lower case.
    set whatif [string tolower [HTTP::uri]]
Sign In or Register to comment.