|
|
|
@ -165,6 +165,16 @@ static DetectAppLayerEventData *DetectAppLayerEventParsePkt(const char *arg,
|
|
|
|
|
return aled;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool OutdatedEvent(const char *raw)
|
|
|
|
|
{
|
|
|
|
|
if (strcmp(raw, "tls.certificate_missing_element") == 0 ||
|
|
|
|
|
strcmp(raw, "tls.certificate_unknown_element") == 0 ||
|
|
|
|
|
strcmp(raw, "tls.certificate_invalid_string") == 0) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \retval int 0 ok
|
|
|
|
|
* \retval int -1 error
|
|
|
|
|
* \retval int -3 non-fatal error: sig will be rejected w/o raising error
|
|
|
|
@ -178,6 +188,18 @@ static int DetectAppLayerEventParseAppP2(DetectAppLayerEventData *data,
|
|
|
|
|
char alproto_name[MAX_ALPROTO_NAME];
|
|
|
|
|
int r = 0;
|
|
|
|
|
|
|
|
|
|
if (OutdatedEvent(data->arg)) {
|
|
|
|
|
if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE,
|
|
|
|
|
"app-layer-event keyword no longer supports event \"%s\"", data->arg);
|
|
|
|
|
return -1;
|
|
|
|
|
} else {
|
|
|
|
|
SCLogWarning(SC_ERR_INVALID_SIGNATURE,
|
|
|
|
|
"app-layer-event keyword no longer supports event \"%s\"", data->arg);
|
|
|
|
|
return -3;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const char *p_idx = strchr(data->arg, '.');
|
|
|
|
|
if (strlen(data->arg) > MAX_ALPROTO_NAME) {
|
|
|
|
|
SCLogError(SC_ERR_INVALID_SIGNATURE, "app-layer-event keyword is too long or malformed");
|
|
|
|
|