Forum Discussion
Stanislas_Piro2
Apr 26, 2019Cumulonimbus
Try this code:
when CLIENT_ACCEPTED {
SSL::disable
TCP::collect
}
when CLIENT_DATA {
Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14)
set payload [TCP::payload 16389]
set payloadlen [TCP::payload length]
if { [binary scan $payload cH4Scx3H4x32c tls_record_content_type tls_version tls_recordlen tls_handshake_action tls_handshake_version tls_handshake_sessidlen] == 6 && \
($tls_record_content_type == 22) && \
([string match {030[1-3]} $tls_version]) && \
($tls_handshake_action == 1) && \
($payloadlen == $tls_recordlen+5)} {
SSL::enable
}
TCP::release
}