Forum Discussion
Anirban
Aug 14, 2022Nimbostratus
Me too searching for same. For my case it's HTTP payload.
when HTTP_RESPONSE {
if {[string length [findstr [HTTP::header] "<return>" 8 "</return>"]] == 30} ---> Create your own logic to identufy string
{
set SESSIONID_RS [findstr [HTTP::header] "<return>" 8 "</return>"]
log local0. "Response SessionID: $SESSIONID_RS"
persist uie add $SESSIONID_RS 1800
else {
persist source_address}
}
}
when HTTP_REQUEST {
if {[string length [findstr [HTTP::header] "<arg0>" 6 "</arg0>"]] == 30}
{
set SESSIONID_RQ [findstr [HTTP::header] "<arg0>" 6 "</arg0>"]
log local0. "Request SessionID: $SESSIONID_RQ"
persist uie $SESSIONID_RQ 1800
}
}