If you were wondering how the CLIENT_DATA event works and how the TCP::collect and TCP::release methods, this is for you. Directly from the horses mouth...

The following rules apply for the CLIENT_DATA event:

1) an implicit TCP::collect is done if the original collect was unbounded (indefinite) and no explicit TCP::release or new TCP::collect is executed.

2) an implicit TCP::release is done if no explicit TCP::release or new TCP::collect is performed and the original collect was not indefinite.

3) an explicit TCP::release would be required if any explicit TCP::collect is executed.

4) an explicit TCP::collect would be required assuming you want to collect more data after an explicit TCP::release has been executed.

You should be able to simply add "TCP::release" to the end of your rule to get data flowing to the server while still continually firing the CLIENT_DATA event for every packet.

Click here for the forum thread.

-Joe

[Listening to: Stand by My Woman - Lenny Kravitz - Greatest Hits (04:20)]