diff options
| author | Toni <matzeton@googlemail.com> | 2022-05-08 20:33:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-08 20:33:59 +0200 |
| commit | 4319d760e0aa5b3818332f8bc355bd1b75045183 (patch) | |
| tree | faa1788c95d405e09df86115758223eb2c7c733a /src/lib | |
| parent | 34882d9cf0b725fff87e38bd6dcc7a9cce645d4f (diff) | |
Improved TLS alert detection. (#1542)
Signed-off-by: lns <matzeton@googlemail.com>
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/protocols/tls.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 09ff86eb6..a79b355e5 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -947,6 +947,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(alert_level == 2 /* Warning (1), Fatal (2) */) ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT); } + + u_int16_t const alert_len = ntohs(*(u_int16_t const *)&flow->l4.tcp.tls.message.buffer[3]); + if (flow->l4.tcp.tls.message.buffer[1] == 0x03 && + flow->l4.tcp.tls.message.buffer[2] <= 0x04 && + alert_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5) + { + ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS); + } } if((len > 9) |