add signature for dtls client hello

2025-10-04 23:58:20 +00:00 · 2015-03-18 11:58:46 -07:00 · 2015-03-18 11:58:46 -07:00 · 58ed2eb9ae
commit 58ed2eb9ae
parent 90bc5add6e
2 changed files with 10 additions and 1 deletions
--- a/scripts/base/protocols/ssl/dpd.sig
+++ b/scripts/base/protocols/ssl/dpd.sig
@ -13,3 +13,10 @@ signature dpd_ssl_client {
  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/
  tcp-state originator
 }
+
+signature dpd_dtls_client {
+  ip-proto == udp
+	# Client hello.
+	payload /^\x16\xfe[\xff\xfd]\x00\x00\x00\x00\x00\x00\x00...\x01...........\xfe[\xff\xfd].*/
+	enable "dtls"
+}
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -97,7 +97,9 @@ const ssl_ports = {
 	989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
 };

-const dtls_ports = { 4433/udp };
+# As far as I know, there are no well known dtls ports at the moment. Let's
+# just add 443 for now for good measure - who knows :)
+const dtls_ports = { 443/udp };

 redef likely_server_ports += { ssl_ports, dtls_ports };