]> git.ipfire.org Git - thirdparty/suricata.git/commitdiff
We have a new probing parser to detect sslv2 records. todos to be covered later
authorAnoop Saldanha <poonaatsoc@gmail.com>
Thu, 26 Apr 2012 11:54:39 +0000 (17:24 +0530)
committerVictor Julien <victor@inliniac.net>
Thu, 7 Jun 2012 15:07:18 +0000 (17:07 +0200)
src/app-layer-ssl.c

index 0f5193fb035fb10c577348d150f47b5709edefc2..722accd7b4fe98b11707ab37ffac12c3e96ed6a3 100644 (file)
@@ -932,6 +932,21 @@ void SSLStateFree(void *p)
     return;
 }
 
+static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen)
+{
+    /* probably a rst/fin sending an eof */
+    if (ilen == 0)
+        return ALPROTO_UNKNOWN;
+
+    /* for now just the 3 byte header ones */
+    /* \todo Detect the 2 byte ones */
+    if ((input[0] & 0x80) && (input[2] == 0x01)) {
+        return ALPROTO_TLS;
+    }
+
+    return ALPROTO_FAILED;
+}
+
 /**
  * \brief Function to register the SSL protocol parser and other functions
  */
@@ -970,6 +985,16 @@ void RegisterSSLParsers(void)
 
     AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
 
+    AppLayerRegisterProbingParser(&alp_proto_ctx,
+                                  443,
+                                  IPPROTO_TCP,
+                                  proto_name,
+                                  ALPROTO_TLS,
+                                  0, 3,
+                                  STREAM_TOSERVER,
+                                  APP_LAYER_PROBING_PARSER_PRIORITY_HIGH, 1,
+                                  SSLProbingParser);
+
     /* Get the value of no reassembly option from the config file */
     if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
         ssl_config.no_reassemble = 1;