From 2942a26280866c5ecad13ce8d7a63a706dc9e1af Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 12:44:51 -0700
Subject: [PATCH] also extract payload data in ssl_heartbeat

---
 scripts/policy/protocols/ssl/heartbleed.bro | 2 +-
 src/analyzer/protocol/ssl/events.bif        | 2 +-
 src/analyzer/protocol/ssl/ssl-analyzer.pac  | 8 ++++----
 src/analyzer/protocol/ssl/ssl-protocol.pac  | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index d66ff4df2a..19728b1d0c 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -26,7 +26,7 @@ export {
 	};
 }
 
-event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count)
+event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
 	if ( heartbeat_type == 1 )
 		{
diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index e720089f45..a11e7bcc68 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -141,4 +141,4 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count%);
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index d0ac88a5a1..29240161d1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -325,11 +325,11 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16) : bool
+	function proc_heartbeat(rec : SSLRecord, type: uint8, payload_length: uint16, data: bytestring) : bool
 		%{
 		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length);
-
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length}, type, payload_length,
+			new StringVal(data.length(), (const char*) data.data()));
 		return true;
 		%}
 
@@ -353,7 +353,7 @@ refine typeattr ApplicationData += &let {
 };
 
 refine typeattr Heartbeat += &let {
-	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length);
+	proc : bool = $context.connection.proc_heartbeat(rec, type, payload_length, data);
 };
 
 refine typeattr ClientHello += &let {
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index acded2dbf9..f8645410dc 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -233,7 +233,7 @@ type ApplicationData(rec: SSLRecord) = record {
 type Heartbeat(rec: SSLRecord) = record {
   type : uint8;
   payload_length : uint16;
-	data : bytestring &restofdata &transient;
+	data : bytestring &restofdata;
 };
 
 ######################################################################