We have a new probing parser to detect sslv2 records. todos to be covered later

13 years ago · edb48c1557
parent fa121a1dd4
commit edb48c1557
1 changed files with 25 additions and 0 deletions
--- a/src/app-layer-ssl.c
+++ b/src/app-layer-ssl.c
@ -932,6 +932,21 @@ void SSLStateFree(void *p)
    return;
 }

+static uint16_t SSLProbingParser(uint8_t *input, uint32_t ilen)
+{
+    /* probably a rst/fin sending an eof */
+    if (ilen == 0)
+        return ALPROTO_UNKNOWN;
+
+    /* for now just the 3 byte header ones */
+    /* \todo Detect the 2 byte ones */
+    if ((input[0] & 0x80) && (input[2] == 0x01)) {
+        return ALPROTO_TLS;
+    }
+
+    return ALPROTO_FAILED;
+}
+
 /**
 * \brief Function to register the SSL protocol parser and other functions
 */
@ -970,6 +985,16 @@ void RegisterSSLParsers(void)

    AppLayerRegisterStateFuncs(ALPROTO_TLS, SSLStateAlloc, SSLStateFree);

+    AppLayerRegisterProbingParser(&alp_proto_ctx,
+                                  443,
+                                  IPPROTO_TCP,
+                                  proto_name,
+                                  ALPROTO_TLS,
+                                  0, 3,
+                                  STREAM_TOSERVER,
+                                  APP_LAYER_PROBING_PARSER_PRIORITY_HIGH, 1,
+                                  SSLProbingParser);
+
    /* Get the value of no reassembly option from the config file */
    if (ConfGetBool("tls.no-reassemble", &ssl_config.no_reassemble) != 1)
        ssl_config.no_reassemble = 1;