From 58ed2eb9aedc9c7f8cbce06e0582f3d1364ea53a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Wed, 18 Mar 2015 11:58:46 -0700 Subject: [PATCH] add signature for dtls client hello --- scripts/base/protocols/ssl/dpd.sig | 7 +++++++ scripts/base/protocols/ssl/main.bro | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/base/protocols/ssl/dpd.sig b/scripts/base/protocols/ssl/dpd.sig index b888d84cec..e238575568 100644 --- a/scripts/base/protocols/ssl/dpd.sig +++ b/scripts/base/protocols/ssl/dpd.sig @@ -13,3 +13,10 @@ signature dpd_ssl_client { payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/ tcp-state originator } + +signature dpd_dtls_client { + ip-proto == udp + # Client hello. + payload /^\x16\xfe[\xff\xfd]\x00\x00\x00\x00\x00\x00\x00...\x01...........\xfe[\xff\xfd].*/ + enable "dtls" +} diff --git a/scripts/base/protocols/ssl/main.bro b/scripts/base/protocols/ssl/main.bro index 2b448fec6c..75e41e4077 100644 --- a/scripts/base/protocols/ssl/main.bro +++ b/scripts/base/protocols/ssl/main.bro @@ -97,7 +97,9 @@ const ssl_ports = { 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp }; -const dtls_ports = { 4433/udp }; +# As far as I know, there are no well known dtls ports at the moment. Let's +# just add 443 for now for good measure - who knows :) +const dtls_ports = { 443/udp }; redef likely_server_ports += { ssl_ports, dtls_ports };