Y'know what? Disregard the above. If you're logging the right input values, you're not compressed coming from the pool member.
Try something like this:
when CLIENT_ACCEPTED {
set trypost 0
set collected 0
set retried 0
}
when HTTP_REQUEST {
if { (! $retried) && ([HTTP::method] equals "GET") && ([string tolower [HTTP::uri]] equals "/tgi/login.tgi") } {
set trypost 1
HTTP::header sanitize "Accept-Encoding Connection Keep-Alive"
HTTP::header insert Connection "close"
}
}
when HTTP_RESPONSE {
if {($trypost) && (! $collected) && (! $retrying) }{
if {[HTTP::header exists Content-Length] && ([HTTP::header Content-Length] < 100000)} {
set clength [HTTP::header Content-Length]
} else {
set clength 100000
}
HTTP::collect $clength
set collected 1
}
}
when HTTP_RESPONSE_DATA {
if { ($trypost) && ($collected) && (! $retried) } {
set salt_value [lindex [regexp -all -inline {(ge\" VALUE=\")(.{8})} [HTTP::payload]] 2]
log local0. "salt -> $salt_value"
set response "adminpassword123$salt_value"
log local0. "salted response -> $response"
binary scan [ md5 $response ] H* hexhash
log local0. "md5(hex) of $response -> $hexhash"
HTTP::payload replace 0 [HTTP::payload length] ""
HTTP::retry "POST /tgi/login.tgi HTTP/1.1\r\n Host: 10.10.10.10\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 77\r\n\r\nUsername=admin&Password=&Challenge=&Response=$hexhash"
set trypost 0
set collected 0
set retried 1
}
}
Yeah, it doesn't look like some of the other stuff you've seen on HTTP::retry, but most of those are not re-hitting the same pool member, they're going to some other pool or node entirely. What I'm doing here is essentially forcing a close from the browser when a GET request to the login page occurs, then in HTTP_RESPONSE, I'm taking steps to throw away the payload that's been collected before attempting the HTTP::retry.