From c5f43785f1a032508b7c0e7686c945f6bf9d90f0 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 23 Apr 2014 15:38:32 +0200
Subject: [PATCH] tls/heartbleed: add rule for invalid encrypted hb

Add rule to tls-events.rules to match on the invalid encrypted
heartbeat.
---
 rules/tls-events.rules | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/tls-events.rules b/rules/tls-events.rules
index 7c9ae6f09c..0dfaa8a567 100644
--- a/rules/tls-events.rules
+++ b/rules/tls-events.rules
@@ -21,5 +21,6 @@ alert tls any any -> any any (msg:"SURICATA TLS invalid record/traffic"; flow:es
 alert tls any any -> any any (msg:"SURICATA TLS heartbeat encountered"; flow:established; app-layer-event:tls.heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; sid:2230011; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS overflow heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.overflow_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230012; rev:1;)
 alert tls any any -> any any (msg:"SURICATA TLS invalid heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.invalid_heartbeat_message; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230013; rev:1;)
+alert tls any any -> any any (msg:"SURICATA TLS invalid encrypted heartbeat encountered, possible exploit attempt (heartbleed)"; flow:established; app-layer-event:tls.dataleak_heartbeat_mismatch; flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; reference:cve,2014-0160; sid:2230014; rev:1;)
 
-#next sid is 2230014
+#next sid is 2230015