Extend ssl dpd signature to allow alert before server_hello.

The alert in this case is caused by the server name in the SNI not being recognized by the server, which triggers an alert. Since the server is an apache, and this might happen reasonably often, the new signature allows one TLS alert before the server hello is expected.
2025-10-16 05:28:20 +00:00 · 2015-10-22 13:36:21 -07:00 · 2015-10-22 13:36:21 -07:00 · 401e6c9102
commit 401e6c9102
parent 5734ead510
3 changed files with 4 additions and 1 deletions
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@ -1,7 +1,7 @@
 signature dpd_ssl_server {
  ip-proto == tcp
  # Server hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
  requires-reverse-signature dpd_ssl_client
  enable "ssl"
  tcp-state responder