From a9867c706db5e47172c35ce0e03efc37176db4c2 Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@icir.org>
Date: Wed, 12 Aug 2015 17:02:24 -0700
Subject: [PATCH] Make Teredo DPD signature more precise.

Contributed by Martina Balint in https://github.com/bro/bro/pull/39.

(I didn't merge the github branch, as that has some more stuff in its
history. Instead I applied the single-line change directly.)
---
 CHANGES                                | 4 ++++
 VERSION                                | 2 +-
 scripts/base/protocols/tunnels/dpd.sig | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index ff97b9c2a1..e61c32f9eb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+2.4-86 | 2015-08-12 17:02:24 -0700
+
+  * Make Teredo DPD signature more precise. (Martina Balint.)
+
 2.4-84 | 2015-08-10 14:44:39 -0700
 
   * Add hook 'HookSetupAnalyzerTree' to allow plugins access to a
diff --git a/VERSION b/VERSION
index b8af263b9a..3470468254 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4-84
+2.4-86
diff --git a/scripts/base/protocols/tunnels/dpd.sig b/scripts/base/protocols/tunnels/dpd.sig
index 0c66775f5d..9c4bddeffd 100644
--- a/scripts/base/protocols/tunnels/dpd.sig
+++ b/scripts/base/protocols/tunnels/dpd.sig
@@ -9,6 +9,6 @@ signature dpd_ayiya {
 
 signature dpd_teredo {
   ip-proto = udp
-  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/
+  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
   enable "teredo"
 }