From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Wed, 18 May 2016 13:34:32 +0000 (+0200)
Subject: rules: add rule for HANDSHAKE_INVALID_LENGTH event
X-Git-Tag: suricata-3.2beta1~300
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7c36b11a8405f912456bcbef84d93cdc4e3cbf76;p=thirdparty%2Fsuricata.git

rules: add rule for HANDSHAKE_INVALID_LENGTH event
---

diff --git a/rules/tls-events.rules b/rules/tls-events.rules
index eccaaf5682..f22b1fed93 100644
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@@ -25,5 +25,6 @@ alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat enco
 alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:established,to_server; app-layer-event:tls.multiple_sni_extensions; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230016; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
 
-#next sid is 2230019
+#next sid is 2230020