I need to create a custom application based on the LOGIN string sent to an IMAP server (Office 365) via port 993 (TLS/SSL encrypted) to differentiate it from other O365 traffic. Tech_Note-Creating_Custom_Signatures-RevE.pdf I should be able to match on the imap-req-first-param context but the fw is detecting the traffic as imap. I have configured and tested SSL decryption okay and am outputting to a SSL decryption mirror to confirm the unencrypted data being sent.
The custom application is a child of the imap application (I've tried it as no parent app as well, didn't work), and has default port tcp/993 set. I've got one signature:
Scope: session (I tried transaction, didn't work either)
Ordered condition match is off
OR condition - Operator Pattern Match
Context - imap-req-first-param
Pattern is part of our domain name, as is (no \'s or brackets)
No qualifiers, tho I've tried with imap-req-cmd = LOGIN but it didn't help.
Any ideas? Thanks in advance :)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!