What do you actually see in the hex payload? Maybe the client isn't using CR and LF?
Here are two examples. One which converts \r\n to binary to check the binary payload and a second which converts the payload to hex to check for 0d0a:
when CLIENT_ACCEPTED {
TCP::collect
}
when CLIENT_DATA {
save payload
set payload [TCP::payload]
log local0. "\$payload: $payload"
if {$payload contains [binary format a* "\r\n"]}{
log local0. "Found CRLF in binary payload!"
}
convert payload to HEX
binary scan $payload H* payload_hex
log local0. "\$payload_hex: $payload_hex"
if {$payload contains "0d0a"]}{
log local0. "Found CRLF in hex payload!"
}
}
: $payload: GET / HTTP/1.1 User-Agent: curl/7.16.3 (i686-pc-cygwin) libcurl/7.16.3 OpenSSL/0.9.8j zlib/1.2.3 libssh2/0.15-CVS Host: 10.42.2.100 Accept: */*
: Found CRLF in binary payload!
: $payload_hex: 474554202f20485454502f312e310d0a557365722d4167656e
743a206375726c2f372e31362e332028693638362d70632d63
796777696e29206c69626375726c2f372e31362e33204f7065
6e53534c2f302e392e386a207a6c69622f312e322e33206c69
62737368322f302e31352d4356530d0a486f73743a2031302e
34322e322e3130300d0a4163636570743a202a2f2a0d0a0d0a
: Found CRLF in hex payload!
Aaron