Add decoder event rule for tls event "invalid_ssl_record", which will now be availabl...

author Anoop Saldanha <anoopsaldanha@gmail.com>

Tue, 24 Sep 2013 06:01:37 +0000 (11:31 +0530)

committer Victor Julien <victor@inliniac.net>

Tue, 24 Sep 2013 13:22:18 +0000 (15:22 +0200)
author Anoop Saldanha <anoopsaldanha@gmail.com>
Tue, 24 Sep 2013 06:01:37 +0000 (11:31 +0530)
committer Victor Julien <victor@inliniac.net>
Tue, 24 Sep 2013 13:22:18 +0000 (15:22 +0200)
diff --git a/rules/tls-events.rules b/rules/tls-events.rules

index 273edadfcffcda08ebdb3b86e7f297c8d1598198..560d55bd349440618b98aebff49f819cec5f72a3 100644 (file)
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@@ -16,6 +16,7 @@ alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element"; fl
  alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length"; flow:established; app-layer-event:tls.certificate_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007; rev:1;)
  alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string"; flow:established; app-layer-event:tls.certificate_invalid_string; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008; rev:1;)
  alert tls any any -> any any (msg:"SURICATA TLS error message encountered"; flow:established; app-layer-event:tls.error_message_encountered; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record/traffic"; flow:established; app-layer-event:tls.invalid_ssl_record; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230010; rev:1;)
  
-#next sid is 2230010
+#next sid is 2230011
author	Anoop Saldanha <anoopsaldanha@gmail.com>
	Tue, 24 Sep 2013 06:01:37 +0000 (11:31 +0530)
committer	Victor Julien <victor@inliniac.net>
	Tue, 24 Sep 2013 13:22:18 +0000 (15:22 +0200)