Also, I'm not sure if you want to continuously collect the payloads. Can you collect enough bytes just once in the initial connection to find the bad byte pattern?
when CLIENT_ACCEPTED {
if { [class match [IP::local_addr] equals block_ip_ultrasurf ] } {
log local0. "block ip = [IP::local_addr]"
drop
} elseif {[TCP::local_port] == 443} {
TCP::collect 100
}
}
when CLIENT_DATA {
binary scan [TCP::payload] H* payload_hex
log local0. "payload_hex ([string length $payload_hex] chars) = $payload_hex"
if {[class match $payload_hex contains signature_clientsslhello]} {
drop
}
TCP::release
}
Aaron