From cd7f0273a21880cff8ff927abb327a30270015ba Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <anoopsaldanha@gmail.com>
Date: Tue, 24 Sep 2013 11:31:37 +0530
Subject: [PATCH] Add decoder event rule for tls event "invalid_ssl_record",
 which will now be available "app-layer-event:tls.invalid_ssl_record".

---
 rules/tls-events.rules | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/tls-events.rules b/rules/tls-events.rules
index 273edadfcf..560d55bd34 100644
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@@ -16,6 +16,7 @@ alert tls any any -> any any (msg:"SURICATA TLS certificate unknown element"; fl
 alert tls any any -> any any (msg:"SURICATA TLS certificate invalid length"; flow:established; app-layer-event:tls.certificate_invalid_length; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230007; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS certificate invalid string"; flow:established; app-layer-event:tls.certificate_invalid_string; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230008; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS error message encountered"; flow:established; app-layer-event:tls.error_message_encountered; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230009; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid record/traffic"; flow:established; app-layer-event:tls.invalid_ssl_record; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230010; rev:1;)
 
-#next sid is 2230010
+#next sid is 2230011