rules: add rule for HANDSHAKE_INVALID_LENGTH event

author Mats Klepsland <mats.klepsland@gmail.com>

Wed, 18 May 2016 13:34:32 +0000 (15:34 +0200)

committer Victor Julien <victor@inliniac.net>

Sun, 25 Sep 2016 20:12:00 +0000 (22:12 +0200)
author Mats Klepsland <mats.klepsland@gmail.com>
Wed, 18 May 2016 13:34:32 +0000 (15:34 +0200)
committer Victor Julien <victor@inliniac.net>
Sun, 25 Sep 2016 20:12:00 +0000 (22:12 +0200)
diff --git a/rules/tls-events.rules b/rules/tls-events.rules

index eccaaf56827733113ce010439d58977cdd7cea2d..f22b1fed93a481013055eac358d892e70abc8819 100644 (file)
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@@ -25,5 +25,6 @@ alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat enco
  alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:established,to_server; app-layer-event:tls.multiple_sni_extensions; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230016; rev:1;)
  alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
  alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
  
-#next sid is 2230019
+#next sid is 2230020
author	Mats Klepsland <mats.klepsland@gmail.com>
	Wed, 18 May 2016 13:34:32 +0000 (15:34 +0200)
committer	Victor Julien <victor@inliniac.net>
	Sun, 25 Sep 2016 20:12:00 +0000 (22:12 +0200)