From 7c36b11a8405f912456bcbef84d93cdc4e3cbf76 Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Wed, 18 May 2016 15:34:32 +0200
Subject: [PATCH] rules: add rule for HANDSHAKE_INVALID_LENGTH event

---
 rules/tls-events.rules | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/tls-events.rules b/rules/tls-events.rules
index eccaaf5682..f22b1fed93 100644
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@@ -25,5 +25,6 @@ alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat enco
 alert tls any any -> any any (msg:"SURICATA TLS multiple SNI extensions"; flow:established,to_server; app-layer-event:tls.multiple_sni_extensions; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230016; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI type"; flow:established,to_server; app-layer-event:tls.invalid_sni_type; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230017; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS invalid SNI length"; flow:established,to_server; app-layer-event:tls.invalid_sni_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230018; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS handshake invalid length"; flow:established; app-layer-event:tls.handshake_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230019; rev:1;)
 
-#next sid is 2230019
+#next sid is 2230020