Set event if SSL3/TLS record isn't within the acceptable range.
#
alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header"; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header"; flow:established; app-layer-event:tls.invalid_tls_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record version"; flow:established; app-layer-event:tls.invalid_record_version; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230015; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid record type"; flow:established; app-layer-event:tls.invalid_record_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid certificate"; flow:established; app-layer-event:tls.invalid_certificate; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;)
alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;)
-#next sid is 2230015
+#next sid is 2230016
/* TLS protocol messages */
{ "INVALID_SSLV2_HEADER", TLS_DECODER_EVENT_INVALID_SSLV2_HEADER },
{ "INVALID_TLS_HEADER", TLS_DECODER_EVENT_INVALID_TLS_HEADER },
+ { "INVALID_RECORD_VERSION", TLS_DECODER_EVENT_INVALID_RECORD_VERSION },
{ "INVALID_RECORD_TYPE", TLS_DECODER_EVENT_INVALID_RECORD_TYPE },
{ "INVALID_HANDSHAKE_MESSAGE", TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE },
{ "HEARTBEAT_MESSAGE", TLS_DECODER_EVENT_HEARTBEAT },
return parsed;
}
+ /* check record version */
+ if (ssl_state->curr_connp->version < SSL_VERSION_3 ||
+ ssl_state->curr_connp->version > TLS_VERSION_12) {
+
+ AppLayerDecoderEventsSetEvent(ssl_state->f,
+ TLS_DECODER_EVENT_INVALID_RECORD_VERSION);
+ return -1;
+ }
+
switch (ssl_state->curr_connp->content_type) {
/* we don't need any data from these types */
/* TLS protocol messages */
TLS_DECODER_EVENT_INVALID_SSLV2_HEADER,
TLS_DECODER_EVENT_INVALID_TLS_HEADER,
+ TLS_DECODER_EVENT_INVALID_RECORD_VERSION,
TLS_DECODER_EVENT_INVALID_RECORD_TYPE,
TLS_DECODER_EVENT_INVALID_HANDSHAKE_MESSAGE,
TLS_DECODER_EVENT_HEARTBEAT,
projects / thirdparty / suricata.git / commitdiff
