From 4319d760e0aa5b3818332f8bc355bd1b75045183 Mon Sep 17 00:00:00 2001
From: Toni <matzeton@googlemail.com>
Date: Sun, 8 May 2022 20:33:59 +0200
Subject: Improved TLS alert detection. (#1542)

Signed-off-by: lns <matzeton@googlemail.com>
---
 src/lib/protocols/tls.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/lib')

diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 09ff86eb6..a79b355e5 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -947,6 +947,14 @@ static int ndpi_search_tls_tcp(struct ndpi_detection_module_struct *ndpi_struct,
 	if(alert_level == 2 /* Warning (1), Fatal (2) */)
 	  ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT);
       }
+
+      u_int16_t const alert_len = ntohs(*(u_int16_t const *)&flow->l4.tcp.tls.message.buffer[3]);
+      if (flow->l4.tcp.tls.message.buffer[1] == 0x03 &&
+          flow->l4.tcp.tls.message.buffer[2] <= 0x04 &&
+          alert_len == (u_int32_t)flow->l4.tcp.tls.message.buffer_used - 5)
+      {
+        ndpi_int_tls_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TLS);
+      }
     }
 
     if((len > 9)
-- 
cgit v1.2.3