From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Wed, 15 Feb 2017 06:06:15 +0000 (+0100)
Subject: app-layer: add decoder event for missing TLS after STARTTLS
X-Git-Tag: suricata-4.0.0-beta1~95
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72c757433aab3bab836eb41bc8dc5a2cb3d04116;p=thirdparty%2Fsuricata.git

app-layer: add decoder event for missing TLS after STARTTLS
---

diff --git a/rules/app-layer-events.rules b/rules/app-layer-events.rules
index 4d2ac28bbc..31a15d4189 100644
--- a/rules/app-layer-events.rules
+++ b/rules/app-layer-events.rules
@@ -10,5 +10,6 @@ alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both direc
 alert ip any any -> any any (msg:"SURICATA Applayer Wrong direction first Data"; flow:established; app-layer-event:applayer_wrong_direction_first_data; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260001; rev:1;)
 alert ip any any -> any any (msg:"SURICATA Applayer Detect protocol only one direction"; flow:established; app-layer-event:applayer_detect_protocol_only_one_direction; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260002; rev:1;)
 alert ip any any -> any any (msg:"SURICATA Applayer Protocol detection skipped"; flow:established; app-layer-event:applayer_proto_detection_skipped; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260003; rev:1;)
+alert ip any any -> any any (msg:"SURICATA Applayer No TLS after STARTTLS"; flow:established; app-layer-event:applayer_no_tls_after_starttls; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:226004; rev:1;)
 
-#next sid is 2260004
+#next sid is 2260005
diff --git a/src/app-layer-events.c b/src/app-layer-events.c
index cd00a4ee8b..b72a45431c 100644
--- a/src/app-layer-events.c
+++ b/src/app-layer-events.c
@@ -40,6 +40,8 @@ SCEnumCharMap app_layer_event_pkt_table[ ] = {
       APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION },
     { "APPLAYER_PROTO_DETECTION_SKIPPED",
       APPLAYER_PROTO_DETECTION_SKIPPED },
+    { "APPLAYER_NO_TLS_AFTER_STARTTLS",
+      APPLAYER_NO_TLS_AFTER_STARTTLS },
     { NULL,
       -1 },
 };
diff --git a/src/app-layer-events.h b/src/app-layer-events.h
index 0261a26f92..b55b9a620b 100644
--- a/src/app-layer-events.h
+++ b/src/app-layer-events.h
@@ -46,6 +46,7 @@ enum {
     APPLAYER_WRONG_DIRECTION_FIRST_DATA,
     APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION,
     APPLAYER_PROTO_DETECTION_SKIPPED,
+    APPLAYER_NO_TLS_AFTER_STARTTLS,
 };
 
 /* the event types for app events */
diff --git a/src/app-layer.c b/src/app-layer.c
index 5684075feb..bc62b060ca 100644
--- a/src/app-layer.c
+++ b/src/app-layer.c
@@ -574,6 +574,10 @@ int AppLayerHandleTCPData(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx,
         }
         SCLogDebug("protocol change, old %s, new %s",
                 AppProtoToString(f->alproto_orig), AppProtoToString(f->alproto));
+        if (f->alproto != ALPROTO_TLS) {
+            AppLayerDecoderEventsSetEventRaw(&p->app_layer_events,
+                                             APPLAYER_NO_TLS_AFTER_STARTTLS);
+        }
     } else {
         SCLogDebug("stream data (len %" PRIu32 " alproto "
                    "%"PRIu16" (flow %p)", data_len, f->alproto, f);