From edb48c15578817351bd4eea476123cf8998e25c1 Mon Sep 17 00:00:00 2001
From: Anoop Saldanha <poonaatsoc@gmail.com>
Date: Thu, 26 Apr 2012 17:24:39 +0530
Subject: [PATCH] We have a new probing parser to detect sslv2 records. todos
 to be covered later

---
 src/app-layer-ssl.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/app-layer-ssl.c b/src/app-layer-ssl.c
index 0f5193fb03..722accd7b4 100644
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@@ -932,6 +932,21 @@ void SSLStateFree(void *p)
     return;
 }
 
+static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen)
+{
+    /* probably a rst/fin sending an eof */
+    if (ilen == 0)
+        return ALPROTO_UNKNOWN;
+
+    /* for now just the 3 byte header ones */
+    /* \todo Detect the 2 byte ones */
+    if ((input[0] & 0x80) && (input[2] == 0x01)) {
+        return ALPROTO_TLS;
+    }
+
+    return ALPROTO_FAILED;
+}
+
 /**
  * \brief Function to register the SSL protocol parser and other functions
  */
@@ -970,6 +985,16 @@ void RegisterSSLParsers(void)
 
     AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);
 
+    AppLayerRegisterProbingParser(&alp_proto_ctx,
+                                  443,
+                                  IPPROTO_TCP,
+                                  proto_name,
+                                  ALPROTO_TLS,
+                                  0, 3,
+                                  STREAM_TOSERVER,
+                                  APP_LAYER_PROBING_PARSER_PRIORITY_HIGH, 1,
+                                  SSLProbingParser);
+
     /* Get the value of no reassembly option from the config file */
     if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
         ssl_config.no_reassemble = 1;