app-layer: add decoder event for missing TLS after STARTTLS

diff --git a/rules/app-layer-events.rules b/rules/app-layer-events.rules
index 4d2ac28bbc970b9a31b78f94ccee045f60b40f5e..31a15d41892ec5904c8ff21614441cdf1862bbf0 100644 (file)
--- a/rules/app-layer-events.rules
+++ b/rules/app-layer-events.rules
@@ -10,5 +10,6 @@ alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both direc
 alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)
 alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)
 alert ip any any -> any any (msg:"SURICATA Applayer Protocol detection skipped"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;)
+alert ip any any -> any any (msg:"SURICATA Applayer No TLS after STARTTLS"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:226004; rev:1;)
 
-#next sid is 2260004
+#next sid is 2260005

diff --git a/src/app-layer-events.c b/src/app-layer-events.c
index cd00a4ee8bc628c43d2eeb205157d68446e21a2d..b72a45431c351e084aeb58730083c777ea39e5ad 100644 (file)
--- a/src/app-layer-events.c
+++ b/src/app-layer-events.c
@@ -40,6 +40,8 @@ SCEnumCharMap app_layer_event_pkt_table[ ] = {
       APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION },
     { "APPLAYER_PROTO_DETECTION_SKIPPED",
       APPLAYER_PROTO_DETECTION_SKIPPED },
+    { "APPLAYER_NO_TLS_AFTER_STARTTLS",
+      APPLAYER_NO_TLS_AFTER_STARTTLS },
     { NULL,
       -1 },
 };

diff --git a/src/app-layer-events.h b/src/app-layer-events.h
index 0261a26f9265371f81c355940699a0e1fe41ab3f..b55b9a620b81a669da50911fc83aa3c9dc9dbd9b 100644 (file)
--- a/src/app-layer-events.h
+++ b/src/app-layer-events.h
@@ -46,6 +46,7 @@ enum {
     APPLAYER_WRONG_DIRECTION_FIRST_DATA,
     APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION,
     APPLAYER_PROTO_DETECTION_SKIPPED,
+    APPLAYER_NO_TLS_AFTER_STARTTLS,
 };
 
 /* the event types for app events */

diff --git a/src/app-layer.c b/src/app-layer.c
index 5684075febb7919aff36e27ad613170c4bd29256..bc62b060cacf78b579e02f77f1a4d557f95ad7fa 100644 (file)
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -574,6 +574,10 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
         }
         SCLogDebug("protocol change, old %s, new %s",
                 AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
+        if (f->alproto != ALPROTO_TLS) {
+            AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
+                                             APPLAYER_NO_TLS_AFTER_STARTTLS);
+        }
     } else {
         SCLogDebug("stream data (len %" PRIu32 " alproto "
                    "%"PRIu16" (flow %p)", data_len, f->alproto, f);