SSL: update dpd signature for TLS1.3

The dpd signature missed a few cases that are used for TLS 1.3,
especially when draft versions (which are all that we are seeing at the
moment) are being negotiated.

This fix mostly allows draft versions in the server hello (identified by
7F[version]; since we do not know how many drafts there will be, we are
currently allowing a rather safe upper limit.

scripts/base/protocols/ssl/dpd.sig

@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...((\x03[\x00\x01\x02\x03\x04])|(\x7F[\x00-\x50]))|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder
@@ -10,7 +10,7 @@ signature dpd_ssl_server {
 signature dpd_ssl_client {
   ip-proto == tcp
   # Client hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03]).*/
+  payload /^(\x16\x03[\x00\x01\x02\x03]..\x01...\x03[\x00\x01\x02\x03]|...?\x01[\x00\x03][\x00\x01\x02\x03\x04]).*/
   tcp-state originator
 }
 

testing/btest/Baseline/scripts.base.protocols.ssl.dpd/.stdout

@@ -8,3 +8,6 @@ Start test run
 Client hello, 10.0.0.80, 68.233.76.12, 771
 Start test run
 Client hello, 192.168.6.217, 67.207.128.99, 771
+Start test run
+Client hello, 192.168.6.240, 139.162.123.134, 771
+Client hello, 192.168.6.240, 139.162.123.134, 771

testing/btest/scripts/base/protocols/ssl/dpd.test

@@ -2,6 +2,7 @@
 # @TEST-EXEC: bro -b -r $TRACES/tls/ssl.v3.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls1.2.trace %INPUT
 # @TEST-EXEC: bro -b -r $TRACES/tls/tls-early-alert.trace %INPUT
+# @TEST-EXEC: bro -b -r $TRACES/tls/tls-13draft19-early-data.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/frameworks/dpd