Moved DPD signatures into script specific directories.

- This caused us to lose signatures for POP3 and Bittorrent. These will need discovered in the repository again when we add scripts for those analyzers.
2025-10-17 05:58:20 +00:00 · 2013-07-09 22:44:55 -04:00 · 2013-07-09 22:44:55 -04:00 · 39444b5af7
commit 39444b5af7
parent 841604bebe
19 changed files with 181 additions and 216 deletions
--- a/scripts/base/protocols/ssl/load.bro
+++ b/scripts/base/protocols/ssl/load.bro
@ -1,3 +1,5 @@
@load ./consts
@load ./main
@load ./mozilla-ca-list
+
+@load-sigs ./dpd.sig
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@ -0,0 +1,15 @@
+signature dpd_ssl_server {
+  ip-proto == tcp
+  # Server hello.
+  payload /^(\x16\x03[\x00\x01\x02]..\x02...\x03[\x00\x01\x02]|...?\x04..\x00\x02).*/
+  requires-reverse-signature dpd_ssl_client
+  enable "ssl"
+  tcp-state responder
+}
+
+signature dpd_ssl_client {
+  ip-proto == tcp
+  # Client hello.
+  payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/
+  tcp-state originator
+}