Merge remote-tracking branch 'origin/topic/bernhard/ssl-analyzer'

* origin/topic/bernhard/ssl-analyzer:
  Fix a few failing tests
  Add very basic ocsp stapling support.
  Add documentation, consts and tests for the new events.
  Support parsing of several TLS extensions.
  Make SSL/TLS version detection less brittle.
  Nicer notices for heartbleed.
  rip out state handline from ssl analyzer.
  enable detection of encrypted heartbleeds.
  also extract payload data in ssl_heartbeat
  add to local.bro, add disclaimer
  make tls heartbeat messages a bit better.
  fix tabs.
  polish script and probably detect encrypted attacks too.
  detect and alert on simple case of heartbleed
  default to TLS when not being able to determine version
  add is_orig to heartbeat event
  Throw new event for heartbeat messages.

BIT-1178 #merged

testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout

@@ -0,0 +1 @@
+F, 1995

testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout

@@ -0,0 +1,13 @@
+server_name, 192.168.4.149, 74.125.239.152, [google.de]
+Curves, 192.168.4.149, 74.125.239.152
+secp256r1
+secp384r1
+secp521r1
+Point formats, 192.168.4.149, 74.125.239.152, T
+uncompressed
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3, spdy/3.1, http/1.1]
+Point formats, 192.168.4.149, 74.125.239.152, F
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1]

testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-19-05-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 1, first packet server record length 32	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-19-05-00

testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-30-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-30-54

testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-29-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396973486.753913	CXWv6p3arKYeMETxOg	173.203.79.216	46592	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	162.219.2.166	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-29-46

testing/btest/core/leaks/http-connect.bro

@@ -5,7 +5,7 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/http/connect-with-smtp.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @load base/protocols/conn
 @load base/protocols/http

testing/btest/core/leaks/x509_verify.bro

@@ -5,7 +5,7 @@
 # @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
 #
 # @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -m -r $TRACES/tls/tls-expired-cert.trace %INPUT
-# @TEST-EXEC: btest-bg-wait 15
+# @TEST-EXEC: btest-bg-wait 30
 
 @load base/protocols/ssl
 

testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test

@@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
+	{
+	print is_orig, |response|;
+	}

testing/btest/scripts/base/protocols/ssl/tls-extension-events.test

@@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+	{
+	print "Curves", c$id$orig_h, c$id$resp_h;
+	for ( i in curves )
+		print SSL::ec_curves[curves[i]];
+	}
+
+event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+	{
+	print "Point formats", c$id$orig_h, c$id$resp_h, is_orig;
+	for ( i in point_formats )
+		print SSL::ec_point_formats[point_formats[i]];
+	}
+
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
+	{
+	print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
+	}
+
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
+	{
+	print "server_name", c$id$orig_h, c$id$resp_h, names;
+	}

testing/btest/scripts/policy/protocols/ssl/heartbleed.bro

@@ -0,0 +1,13 @@
+# TEST-EXEC: bro -C -r $TRACES/tls/heartbleed.pcap %INPUT
+# TEST-EXEC: mv notice.log notice-heartbleed.log
+# TEST-EXEC: btest-diff notice-heartbleed.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-heartbleed-success.log
+# @TEST-EXEC: btest-diff notice-heartbleed-success.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted.log
+# @TEST-EXEC: btest-diff notice-encrypted.log
+
+@load protocols/ssl/heartbleed