From 7bd1448960ccea61fd7afbb0996e3f1a31f9da63 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sat, 29 Jan 2022 17:14:42 +0100
Subject: [PATCH] tests: add bug 1450 tests

---
 tests/bug-1450-01/README.md                   |   1 +
 tests/bug-1450-01/test.yaml                   |  23 +++++++++++++
 tests/bug-1450-01/tls-events.rules            |  31 ++++++++++++++++++
 tests/bug-1450-01/tls_DER.pcap                | Bin 0 -> 5698 bytes
 tests/bug-1450-02/README.md                   |   1 +
 tests/bug-1450-02/test.yaml                   |  23 +++++++++++++
 tests/bug-1450-02/tls-events.rules            |  31 ++++++++++++++++++
 .../tls_DER-incomplete-content.pcap           | Bin 0 -> 5696 bytes
 tests/bug-1450-03/README.md                   |   1 +
 tests/bug-1450-03/test.yaml                   |  23 +++++++++++++
 tests/bug-1450-03/tls-events.rules            |  31 ++++++++++++++++++
 .../tls_DER-incomplete-header.pcap            | Bin 0 -> 5696 bytes
 12 files changed, 165 insertions(+)
 create mode 100644 tests/bug-1450-01/README.md
 create mode 100644 tests/bug-1450-01/test.yaml
 create mode 100644 tests/bug-1450-01/tls-events.rules
 create mode 100644 tests/bug-1450-01/tls_DER.pcap
 create mode 100644 tests/bug-1450-02/README.md
 create mode 100644 tests/bug-1450-02/test.yaml
 create mode 100644 tests/bug-1450-02/tls-events.rules
 create mode 100644 tests/bug-1450-02/tls_DER-incomplete-content.pcap
 create mode 100644 tests/bug-1450-03/README.md
 create mode 100644 tests/bug-1450-03/test.yaml
 create mode 100644 tests/bug-1450-03/tls-events.rules
 create mode 100644 tests/bug-1450-03/tls_DER-incomplete-header.pcap

diff --git a/tests/bug-1450-01/README.md b/tests/bug-1450-01/README.md
new file mode 100644
index 000000000..309aab3e3
--- /dev/null
+++ b/tests/bug-1450-01/README.md
@@ -0,0 +1 @@
+Pcap generated by Pierre Chifflier
diff --git a/tests/bug-1450-01/test.yaml b/tests/bug-1450-01/test.yaml
new file mode 100644
index 000000000..e7f80bd6b
--- /dev/null
+++ b/tests/bug-1450-01/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2230003
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2230007
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2230010
+
diff --git a/tests/bug-1450-01/tls-events.rules b/tests/bug-1450-01/tls-events.rules
new file mode 100644
index 000000000..2555f1895
--- /dev/null
+++ b/tests/bug-1450-01/tls-events.rules
@@ -0,0 +1,31 @@
+# TLS event  rules
+#
+# SID's fall in the 2230000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+#
+# These sigs fire at most once per connection.
+#
+# A flowint tls.anomaly.count is incremented for each match. By default it will be 0.
+#
+alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header"; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header"; flow:established; app-layer-event:tls.invalid_tls_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record version"; flow:established; app-layer-event:tls.invalid_record_version; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230015; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record type"; flow:established; app-layer-event:tls.invalid_record_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid certificate"; flow:established; app-layer-event:tls.invalid_certificate; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate missing element"; flow:established; app-layer-event:tls.certificate_missing_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230005; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element"; flow:established; app-layer-event:tls.certificate_unknown_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230006; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length"; flow:established; app-layer-event:tls.certificate_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string"; flow:established; app-layer-event:tls.certificate_invalid_string; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS error message encountered"; flow:established; app-layer-event:tls.error_message_encountered; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record/traffic"; flow:established; app-layer-event:tls.invalid_ssl_record; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230010; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS heartbeat encountered"; flow:established; app-layer-event:tls.heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230011; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.overflow_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230012; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:established,to_server; app-layer-event:tls.multiple_sni_extensions; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230016; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS too many records in packet"; flow:established; app-layer-event:tls.too_many_records_in_packet; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230020; rev:1;)
+
+#next sid is 2230021
diff --git a/tests/bug-1450-01/tls_DER.pcap b/tests/bug-1450-01/tls_DER.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..61810edb9b0144db4154c1b82e0246c4bc9bc1e7
GIT binary patch
literal 5698
zc-rmQTS!zv7zgnG%$&38>e_m#wgRc_vUzDOSLtH0MiCWVUd$}fhXPBni$xM>*#+{U
z2cJZ(?T(Tpm{CMgeq=})gh*LYR74R%(L)lU<Ti5_tG%%F9On<S53_TA`|UU9>3iDK
zb%8^}pJ-t6^WjZ*!To)}TKL!BiN-1*uV%~xkEQ$05rC=HTjhK_RGi(aPMqiM?PFO0
z*L=@49&NQYY}}&unGjLSKbK@KIUY#{l$>{aTy{S0t@2iSJyLHwpBN$+DP75`=C88m
z74WYR*<Ir^YQ7&-bDPxj>+Edvm{V@D-)fN(_f!G9n12O}Y+J2S>%Eq+qJwSrZ44AA
z3C3nJuoNLa^uHKcSKM~F^ktL#9eI8fx~i|ATYaPKYDK5LZ|CmoKs{wq203XKC6g7G
za1IqH$6_o(Jx<a>nonsohbE8?FP0$(C&)$VG?!8-iDGaOXHh20%f>>qpjno?k`_=V
z&7;{APa4k1PP@>Ed`h4wiX#pk8YNORCLxJzBw)ovBq9br`PVBE3r&D=x$Bl<JZzXE
z_u}A?C#>?B$+9IDL?Kx|rAaFhN%B?V5SRcv5|ApJX2W!(SeS)dgwAxX3yo=96M_jY
z1ZSLcb(%5N_=c)TS2^HNjW53v^pfNc6}z9vt1Jn3m5-#@W%sXO(SCVgiW0Xj3M)ET
zNqlqgRSJ6r2i6Nwkg@Fh==;?xTyOf@3%oTudRFaC|Fm>kUq|k%Z&%KYe3(8W&ozCS
zQIyk^6Z^6HY|6=oLtDDLT2ixzW8NNo(A-GLfG*q2WJhHKWLFWBbqspe37^k5qNz_`
zz8N!S%$PA_#*7&=X3Ur|W9Gk)G2V(e6RBm!c#8suQSK++%8qMwcD*3nOl0kTU=92$
zL|j_S4e?f3(IG`wpg2(oaGs{%!v`XkDh&8u5d6%56T+AJvnise8RFf45Vwzuwq{@h
z{3}HC3`{jfOs4|}LLJwnI@qa3OzuFDG2N<uQGMSh_1A|Y4zQ*fdTThnF8R*@OFf}<
zB@RavPjxG?lLvKRaQym9=Z@D~n67G8;;0mJ;a?%5^As7PEx1N?Vv`0`9|e8^^(czg

literal 0
Hc-jL100001

diff --git a/tests/bug-1450-02/README.md b/tests/bug-1450-02/README.md
new file mode 100644
index 000000000..309aab3e3
--- /dev/null
+++ b/tests/bug-1450-02/README.md
@@ -0,0 +1 @@
+Pcap generated by Pierre Chifflier
diff --git a/tests/bug-1450-02/test.yaml b/tests/bug-1450-02/test.yaml
new file mode 100644
index 000000000..5eaba52e9
--- /dev/null
+++ b/tests/bug-1450-02/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2230003
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2230007
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2230010
+
diff --git a/tests/bug-1450-02/tls-events.rules b/tests/bug-1450-02/tls-events.rules
new file mode 100644
index 000000000..2555f1895
--- /dev/null
+++ b/tests/bug-1450-02/tls-events.rules
@@ -0,0 +1,31 @@
+# TLS event  rules
+#
+# SID's fall in the 2230000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+#
+# These sigs fire at most once per connection.
+#
+# A flowint tls.anomaly.count is incremented for each match. By default it will be 0.
+#
+alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header"; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header"; flow:established; app-layer-event:tls.invalid_tls_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record version"; flow:established; app-layer-event:tls.invalid_record_version; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230015; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record type"; flow:established; app-layer-event:tls.invalid_record_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid certificate"; flow:established; app-layer-event:tls.invalid_certificate; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate missing element"; flow:established; app-layer-event:tls.certificate_missing_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230005; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element"; flow:established; app-layer-event:tls.certificate_unknown_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230006; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length"; flow:established; app-layer-event:tls.certificate_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string"; flow:established; app-layer-event:tls.certificate_invalid_string; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS error message encountered"; flow:established; app-layer-event:tls.error_message_encountered; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record/traffic"; flow:established; app-layer-event:tls.invalid_ssl_record; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230010; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS heartbeat encountered"; flow:established; app-layer-event:tls.heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230011; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.overflow_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230012; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:established,to_server; app-layer-event:tls.multiple_sni_extensions; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230016; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS too many records in packet"; flow:established; app-layer-event:tls.too_many_records_in_packet; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230020; rev:1;)
+
+#next sid is 2230021
diff --git a/tests/bug-1450-02/tls_DER-incomplete-content.pcap b/tests/bug-1450-02/tls_DER-incomplete-content.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9283dd2dfb7b8e90cebcc8df9b1170380a872180
GIT binary patch
literal 5696
zc-rmQTS!zv7zgnG%$!|yZFRj=Yk^pH+0t6mRqSG{l0-(A7fVa*p}<P)Vvz`1MnXOG
z;8Uo%Y9)!1U`7!|`H>-|5FuSDDx!#>=%I)(a+^7e*<M(Bj`N4vhuJy5{q~#l^gS9H
zILD!3DjJylym!r2eCHrg1mF5QkthUK)lInJHV@uB1~9dTs~w{s%d#%26P>)bcOnDe
zn)j*3BQ2JuO(kld2@$dSQ~8n=C&I~ql2_fBlpUkP)t)MkTk74N@j-H_(v_@g{vvBG
zfNurKt~#$?^PPa2yQQArU}IY*9CDNWQA?G$zZ%%Xd@E37+w1jOZ?}dN?QDy8lfO7a
zFgBNgB@6NH;j{7eW!+sno;SPRko(70XU&z4wO1=HRrcFPcJI3aoT3a$CkM@=M6%!l
zI#7wdSdLtr!b!@crL>q9P%N3?K_0TvNKQ(lg_KGO6ovC>M};ge3z=v|i!65yEu$s0
zh~`raX=sz3cH#{3DUKp&8gZDQQ9MOr1`^0h0v1e1Jfh&0f4vIP&;%HlyDlllz=|Zf
zHw|`q!XlrUDO+Mj1QO*_nzZ7PAYUa8fmqlOhg8`#D^iebW@c^{CT8L$p)rkXLNLLF
z;EZ#wPBW$&-&7s$D#z@q@q2p$UXuKeWv&PED$7G%<$Wm**nBHcv~`UoDREnFNYT#9
zV_E{QQrIdvutA98^t|ss->xlizIxbO?5W!|RCplm!^+tseK{|__Oy+^OBt8vnm^Ae
z&2G+)eqYm`e6p#wWN@H0HS1f{>mzqt&QKy?l5J+Pqp|_AtBA@lXEb`f-f>NRdh?AK
zF=E7s5hF&77%^hRh!G?Iee~g0*ojCz(}!E+KZ<fa@Kp6(Zm^k(Lrp}A4gu@nTS4N=
zdajGtLyC4OI{n4zLV)wd3O;%`Y^g$rZwJ7SbvQ0`slS@TikdFo`Ui36q-bpcHo~`p
zMEBS%eZX|qe;m|zS*lO^)qu(6FEVDbs9#jyk4XJxZP@YEY+b(?N^eM<8egd=l&-{Y
xVa3yfO6=zW9e6T%{W}&;*1I)L)vUyyQp|yG1&NN+q>I+T8r6x-8c=f__zm4bid6sr

literal 0
Hc-jL100001

diff --git a/tests/bug-1450-03/README.md b/tests/bug-1450-03/README.md
new file mode 100644
index 000000000..309aab3e3
--- /dev/null
+++ b/tests/bug-1450-03/README.md
@@ -0,0 +1 @@
+Pcap generated by Pierre Chifflier
diff --git a/tests/bug-1450-03/test.yaml b/tests/bug-1450-03/test.yaml
new file mode 100644
index 000000000..5eaba52e9
--- /dev/null
+++ b/tests/bug-1450-03/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2230003
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2230007
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2230010
+
diff --git a/tests/bug-1450-03/tls-events.rules b/tests/bug-1450-03/tls-events.rules
new file mode 100644
index 000000000..2555f1895
--- /dev/null
+++ b/tests/bug-1450-03/tls-events.rules
@@ -0,0 +1,31 @@
+# TLS event  rules
+#
+# SID's fall in the 2230000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation
+#
+# These sigs fire at most once per connection.
+#
+# A flowint tls.anomaly.count is incremented for each match. By default it will be 0.
+#
+alert tls any any -> any any (msg:"SURICATA TLS invalid SSLv2 header"; flow:established; app-layer-event:tls.invalid_sslv2_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230000; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid TLS header"; flow:established; app-layer-event:tls.invalid_tls_header; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230001; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record version"; flow:established; app-layer-event:tls.invalid_record_version; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230015; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record type"; flow:established; app-layer-event:tls.invalid_record_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230002; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid handshake message"; flow:established; app-layer-event:tls.invalid_handshake_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230003; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid certificate"; flow:established; app-layer-event:tls.invalid_certificate; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230004; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate missing element"; flow:established; app-layer-event:tls.certificate_missing_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230005; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element"; flow:established; app-layer-event:tls.certificate_unknown_element; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230006; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length"; flow:established; app-layer-event:tls.certificate_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string"; flow:established; app-layer-event:tls.certificate_invalid_string; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS error message encountered"; flow:established; app-layer-event:tls.error_message_encountered; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record/traffic"; flow:established; app-layer-event:tls.invalid_ssl_record; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230010; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS heartbeat encountered"; flow:established; app-layer-event:tls.heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230011; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.overflow_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230012; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:established,to_server; app-layer-event:tls.multiple_sni_extensions; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230016; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS too many records in packet"; flow:established; app-layer-event:tls.too_many_records_in_packet; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230020; rev:1;)
+
+#next sid is 2230021
diff --git a/tests/bug-1450-03/tls_DER-incomplete-header.pcap b/tests/bug-1450-03/tls_DER-incomplete-header.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2d37ba6385cc706bc2e4e15e0439fede56a198ba
GIT binary patch
literal 5696
zc-rmQTS!zv7zgnG%$&38*4lch)&i;QvZc1BtJuX@qmYU&FItw^LxH8(#Ucr`jD&jV
z!KYAjwHry2phgiz`H>-I5FuSDDxwIX=pl(va+^7e*<M(Bj`N4vhuJy5{q~#l^gZqC
zInSYCA{v<dd~m~Ec<%tP4*vCbqOk^8Q8VU&$I^TI7{Ju(uW~*bD#^O6PMqT%9b*{)
z*L*KD9&NQYY}%^!nGjJczm%pgI}u3+l)U2Bxa@q?U*)azdZgZdE<QvqR=Sc^&EI6r
ztKeTDvb)A-)O;_f=60#)*V$Rom{V@DKWecO_f-LVn12O}Y<sOy>)qzCqJtIrHU)~)
z1Y>g;Sh5fwpS&DdU($YQ$E!y7d-D9;;;O#ZR&c%SYDJfQVE5i@z$wb0G;-2hN+c^T
zq74-&$5Q0t6i!kmEv7{@pQexwFY=I$dU8=JEua)ipcq_0E6QYfS;#~)nq;}FX$hs%
zLYhahq@hK2+J!U7r#OnD$;6>Uqj-wOG$fFX1gw~fc*MXb|9T}RK@(tH?z*KI3mcN;
z-efrB39Ec&x@?IBQAm_eY0`>Ef_#-Y1g5}_IHbs?*)R*q7G~iVp);N9LSq`&gkXXT
z!5QaVon}lmzM(48RSr5-<IArEy(IZVCGN-aDoev%<wGg<*!?S5v|k!bQsTDUu%d&N
z#x@0CrLb3UV1p2aX?Z_JKNPHTy?xSA=&jk+w`PCp=jAg8I&)rsztS@Dan^`D*Z6gI
zadu<&q)*kY$tN3*Z0+r7PRSaMd3X4J(-}$xblGMmJ1QF>yNZ|$J)_>|^Nncg)0c0?
zj2Sa#%$PA_#*7&=X3UuR?_&(NB2GkVnK9g=z)_U@vA43byUwl`hMS12I|!_We}#z4
zYq=rb3@bXM=n5343IWa+DfsB2h@}bxz8eHTGvK)JrT%J+C~Agy=O4tK<D#tz*a-g$
z5j}%5i~-Zxz;RG#w^W~ZsR5HaP-INEs$W#!4@mvZk%;4~nTCEjoL-kWF}_kyC|!xe
x5yjKJO6=l69e6%|{W}(n*SjTE)vUx(DdxbxLPY0jGDKT&jq1c^4X8d2{07RMic|mq

literal 0
Hc-jL100001

-- 
2.47.2