tls: increase max number of tls records per packet

Tls packets may contain several records. This increase the number of allowed records per packet from 30 to 255, and adds a new and more informative decoder event when this limit is reached.
9 years ago · 10c93221fa
parent 554065189c
commit 10c93221fa
3 changed files with 9 additions and 3 deletions
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@ -26,5 +26,6 @@ alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:e
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS too many records in packet"; flow:established; app-layer-event:tls.too_many_records_in_packet; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230020; rev:1;)

-#next sid is 2230020
+#next sid is 2230021
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -67,6 +67,7 @@ SCEnumCharMap tls_decoder_event_table[ ] = {
    { "MULTIPLE_SNI_EXTENSIONS",     TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS },
    { "INVALID_SNI_TYPE",            TLS_DECODER_EVENT_INVALID_SNI_TYPE },
    { "INVALID_SNI_LENGTH",          TLS_DECODER_EVENT_INVALID_SNI_LENGTH },
+    { "TOO_MANY_RECORDS_IN_PACKET",  TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET },
    /* certificate decoding messages */
    { "INVALID_CERTIFICATE",         TLS_DECODER_EVENT_INVALID_CERTIFICATE },
    { "CERTIFICATE_MISSING_ELEMENT", TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT },
@ -131,6 +132,8 @@ SslConfig ssl_config;
 #define TLS_HB_REQUEST                  1
 #define TLS_HB_RESPONSE                 2

+#define SSL_PACKET_MAX_RECORDS        255
+
 #define HAS_SPACE(n) ((uint32_t)((input) + (n) - (initial_input)) > (uint32_t)(input_len)) ?  0 : 1

 static void SSLParserReset(SSLState *ssl_state)
@ -1365,11 +1368,12 @@ static int SSLDecode(Flow *f, uint8_t direction, void *alstate, AppLayerParserSt

    /* if we have more than one record */
    while (input_len > 0) {
-        if (counter++ == 30) {
+        if (counter++ == SSL_PACKET_MAX_RECORDS) {
            SCLogDebug("Looks like we have looped quite a bit. Reset state "
                       "and get out of here");
            SSLParserReset(ssl_state);
-            SSLSetEvent(ssl_state, TLS_DECODER_EVENT_INVALID_SSL_RECORD);
+            SSLSetEvent(ssl_state,
+                        TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET);
            return -1;
        }

--- a/src/app-layer-ssl.h
+++ b/src/app-layer-ssl.h
@ -46,6 +46,7 @@ enum {
    TLS_DECODER_EVENT_MULTIPLE_SNI_EXTENSIONS,
    TLS_DECODER_EVENT_INVALID_SNI_TYPE,
    TLS_DECODER_EVENT_INVALID_SNI_LENGTH,
+    TLS_DECODER_EVENT_TOO_MANY_RECORDS_IN_PACKET,
    /* Certificates decoding messages */
    TLS_DECODER_EVENT_INVALID_CERTIFICATE,
    TLS_DECODER_EVENT_CERTIFICATE_MISSING_ELEMENT,