diff --git a/src/sniffer.c b/src/sniffer.c
index dd669e2f2..114b7f82a 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -2534,19 +2534,33 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
         *end = *sslFrame + *sslBytes;
     }
 
-#ifdef OLD_HELLO_ALLOWED
-
     if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) {
-        int rhSize;
+        /* Sanity check the packet for an old style client hello. */
+        int rhSize =
+            ((ssl->buffers.inputBuffer.buffer[
+                                   ssl->buffers.inputBuffer.idx] & 0x7f) << 8) |
+            ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 1];
+
+        if ((rhSize <= (*sslBytes - 2)) &&
+            (ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 2]
+                                                             == OLD_HELLO_ID) &&
+            (ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx + 3]
+                                                              == SSLv3_MAJOR)) {
+#ifdef OLD_HELLO_ALLOWED
         int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error);
         if (ret < 0)
             return -1;  /* error already set */
         if (*sslBytes <= 0)
             return 1;
+#endif
+        }
+        else {
+#ifdef STARTTLS_ALLOWED
+            return 1;
+#endif
+        }
     }
 
-#endif
-    
     return 0;
 }