my guess would be that because this isn't HTTP, you can't match the catch-all traffic within the HTTP_REQUEST event. I think I have some t3 captures buried in my hard drive somewhere--I'll try and look at them today. If I recall correctly t3 is not well documented at all, but if there is a consistent identifier, you could do a tcp::collect at CLIENT_ACCEPTED and then evaluate t3 or http in CLIENT_DATA. If t3, find string to switch on and send to appropriate pool, if http, issue tcp::release. At this point the HTTP_REQUEST event should pick up the rest of your rule.