Forum Discussion
jspiglerj2rsolves
Nov 22, 2016Nimbostratus
Thanks Kevin. Yes, the payload was in the response and I was trying to capture it from the client's request. Duhoh...
This is what i have now
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
if { [regexp {[a-zA-Z0-9] {13,16}} [TCP::payload]] } {
log local0. "Pattern detected"
}
TCP::release
}
Something interesting though, maybe you guys could shed some light on this. If I dump my tcpdump to log, I see the HTTP header in plain text fine but none of the page content. I know theres going to be un readable binary information in there due to photos, but I thought I would see some of the page content.