Forum Discussion
dennypayne
Apr 14, 2009Employee
Hi Brad,
Yes a cap might be helpful, but I think I see what you are saying now...if you are seeing the port info in clear text then you ought to be able to make a decision on that.
You could add some more logging to your current rule to see what it's capturing and verify that we are indeed seeing the 443 string within that 20 bytes:
when CLIENT_ACCEPTED {
TCP::collect 20
}
when CLIENT_DATA {
log local0. "TCP payload is [TCP::payload 20]"
if { [TCP::payload 20] contains "443" } {
pool WebWasher
log local0. "Rule for WebWasher HTTPS redirect"
}
TCP::release
}
Denny