mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
95f1565498
This commit changes DPD matching for TLS connections. A one-sided match is enough to enable DPD now. This commit also removes DPD for SSLv2 connections. SSLv2 connections do basically no longer happen in the wild. SSLv2 is also really finnicky to identify correctly - there is very little data required to match it, and basically all matches today will be false positives. If DPD for SSLv2 is still desired, the optional signature in policy/protocols/ssl/dpd-v2.sig can be loaded. Fixes GH-1952
17 lines
550 B
Standard ML
17 lines
550 B
Standard ML
# This signature can be used to enable DPD for SSL version 2.
|
|
# Note that SSLv2 is basically unused by now. Due to the structure of the protocol, it also is sometimes
|
|
# hard to disambiguate it from random noise - so you will probably always get a few false positives.
|
|
|
|
signature dpd_ssl_server {
|
|
ip-proto == tcp
|
|
payload /^...?\x04..\x00\x02.*/
|
|
requires-reverse-signature dpd_ssl_client
|
|
tcp-state responder
|
|
enable "ssl"
|
|
}
|
|
|
|
signature dpd_ssl_client {
|
|
ip-proto == tcp
|
|
payload /^...?\x01[\x00\x03][\x00\x01\x02\x03\x04].*/
|
|
tcp-state originator
|
|
}
|