Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-05 08:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add signature for dtls client hello

Browse source
This commit is contained in:
Johanna Amann 2015-03-18 11:58:46 -07:00
parent 90bc5add6e
commit 58ed2eb9ae
2 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/base/protocols/ssl/dpd.sig
View file

@ -13,3 +13,10 @@ signature dpd_ssl_client {
payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/ payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/
tcp-state originator tcp-state originator
} }
signature dpd_dtls_client {
ip-proto == udp
# Client hello.
payload /^\x16\xfe[\xff\xfd]\x00\x00\x00\x00\x00\x00\x00...\x01...........\xfe[\xff\xfd].*/
enable "dtls"
}

4
scripts/base/protocols/ssl/main.bro
View file

@ -97,7 +97,9 @@ const ssl_ports = {
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 5223/tcp
}; };
const dtls_ports = { 4433/udp }; # As far as I know, there are no well known dtls ports at the moment. Let's
# just add 443 for now for good measure - who knows :)
const dtls_ports = { 443/udp };
redef likely_server_ports += { ssl_ports, dtls_ports }; redef likely_server_ports += { ssl_ports, dtls_ports };