Add documentation, consts and tests for the new events.

This also fixes the heartbleed detector to work for encrypted attacks in this
branch again. It stopped working, because the SSL analyzer now successfully detects
established connections, and the scripts usually disable analyzing after that.

(The heartbeat branch should not have been affected)

scripts/base/protocols/ssl/consts.bro

@@ -94,6 +94,49 @@ export {
 		[65281] = "renegotiation_info"
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
+	## Mapping between numeric codes and human readable string for SSL/TLS elliptic curves.
+	# See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+	const ec_curves: table[count] of string = {
+		[1] = "sect163k1",
+		[2] = "sect163r1",
+		[3] = "sect163r2",
+		[4] = "sect193r1",
+		[5] = "sect193r2",
+		[6] = "sect233k1",
+		[7] = "sect233r1",
+		[8] = "sect239k1",
+		[9] = "sect283k1",
+		[10] = "sect283r1",
+		[11] = "sect409k1",
+		[12] = "sect409r1",
+		[13] = "sect571k1",
+		[14] = "sect571r1",
+		[15] = "secp160k1",
+		[16] = "secp160r1",
+		[17] = "secp160r2",
+		[18] = "secp192k1",
+		[19] = "secp192r1",
+		[20] = "secp224k1",
+		[21] = "secp224r1",
+		[22] = "secp256k1",
+		[23] = "secp256r1",
+		[24] = "secp384r1",
+		[25] = "secp521r1",
+		[26] = "brainpoolP256r1",
+		[27] = "brainpoolP384r1",
+		[28] = "brainpoolP512r1",
+		[0xFF01] = "arbitrary_explicit_prime_curves",
+		[0xFF02] = "arbitrary_explicit_char2_curves"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
+	## Mapping between numeric codes and human readable string for SSL/TLC EC point formats.
+	# See http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-9
+	const ec_point_formats: table[count] of string = {
+		[0] = "uncompressed",
+		[1] = "ansiX962_compressed_prime",
+		[2] = "ansiX962_compressed_char2"
+	} &default=function(i: count):string { return fmt("unknown-%d", i); };
+
 	# SSLv2
 	const SSLv20_CK_RC4_128_WITH_MD5 = 0x010080;
 	const SSLv20_CK_RC4_128_EXPORT40_WITH_MD5 = 0x020080;
@@ -821,42 +864,4 @@ export {
 		[TLS_EMPTY_RENEGOTIATION_INFO_SCSV] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
-	## Mapping between the constants and string values for SSL/TLS errors.
-	const x509_errors: table[count] of string = {
-		[0]  = "ok",
-		[1]  = "unable to get issuer cert",
-		[2]  = "unable to get crl",
-		[3]  = "unable to decrypt cert signature",
-		[4]  = "unable to decrypt crl signature",
-		[5]  = "unable to decode issuer public key",
-		[6]  = "cert signature failure",
-		[7]  = "crl signature failure",
-		[8]  = "cert not yet valid",
-		[9]  = "cert has expired",
-		[10] = "crl not yet valid",
-		[11] = "crl has expired",
-		[12] = "error in cert not before field",
-		[13] = "error in cert not after field",
-		[14] = "error in crl last update field",
-		[15] = "error in crl next update field",
-		[16] = "out of mem",
-		[17] = "depth zero self signed cert",
-		[18] = "self signed cert in chain",
-		[19] = "unable to get issuer cert locally",
-		[20] = "unable to verify leaf signature",
-		[21] = "cert chain too long",
-		[22] = "cert revoked",
-		[23] = "invalid ca",
-		[24] = "path length exceeded",
-		[25] = "invalid purpose",
-		[26] = "cert untrusted",
-		[27] = "cert rejected",
-		[28] = "subject issuer mismatch",
-		[29] = "akid skid mismatch",
-		[30] = "akid issuer serial mismatch",
-		[31] = "keyusage no certsign",
-		[32] = "unable to get crl issuer",
-		[33] = "unhandled critical extension",
-	} &default=function(i: count):string { return fmt("unknown-%d", i); };
-
 }

scripts/base/protocols/ssl/main.bro

@@ -159,7 +159,7 @@ event ssl_server_hello(c: connection, version: count, possible_ts: time, server_
 	c$ssl$cipher = cipher_desc[cipher];
 	}
 
-event tls_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5
 	{
 	set_session(c);
 

scripts/policy/protocols/ssl/heartbleed.bro

@@ -1,6 +1,9 @@
 module Heartbleed;
 
-# Please note - this is not well tested. Use at your own risk.
+# Detect the TLS heartbleed attack. See http://heartbleed.com/
+
+# Do not disable analyzers after detection - otherwhise we will not notice encrypted attacks
+redef SSL::disable_analyzer_after_detection=F;
 
 redef record SSL::Info += {
 	last_originator_heartbeat_request_size: count &optional;

src/analyzer/protocol/ssl/events.bif

@@ -66,6 +66,8 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ## information out of that as it can. This event provides access to any
 ## extensions either side sends as part of an extended *hello* message.
 ##
+## Note that Bro offers a few more specialized events for a few extensions.
+##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
@@ -77,16 +79,75 @@ event ssl_server_hello%(c: connection, version: count, possible_ts: time, server
 ## val: The raw extension value that was sent in the message.
 ##
 ## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
-##    ssl_session_ticket_handshake
+##    ssl_session_ticket_handshake ssl_extension_ec_point_formats
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
 event ssl_extension%(c: connection, is_orig: bool, code: count, val: string%);
 
-event tls_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
+## This TLS extension is defined in :rfc:`4492` and sent by the client in the initial
+## handshake. It gives the list of elliptic curves supported by the client.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## curves: List of supported elliptic curves.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_ec_point_formats ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
 
-event tls_extension_elliptic_curves%(c: connection, is_orig: bool, curves: index_vec%);
+## This TLS extension is defined in :rfc:`4492` and sent by the client and/or server in the initial
+## handshake. It gives the list of elliptic curve point formats supported by the client.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## point_formats: List of supported point formats.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_application_layer_protocol_negotiation
+##    ssl_extension_server_name
+event ssl_extension_ec_point_formats%(c: connection, is_orig: bool, point_formats: index_vec%);
 
-event tls_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
+## This TLS extension is defined in draft-ietf-tls-applayerprotoneg and sent
+## in the initial handshake. It contains the list of client supported application protocols
+## by the client or the server, respectovely.
+##
+## At the moment it is mostly used to negotiate the use of SPDY / HTTP2-drafts.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## protocols: List of supported application layer protocols.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_server_name
+event ssl_extension_application_layer_protocol_negotiation%(c: connection, is_orig: bool, protocols: string_vec%);
 
-event tls_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
+## This SSL/TLS extension is defined in :rfc:`3546` and sent by the client
+## in the initial handshake. It contains the name of the server it is contacting.
+## This information can be used by the server to choose the correct certificate for
+## the host the client wants to contact.
+##
+## c: The connection.
+##
+## is_orig: True if event is raised for originator side of the connection.
+##
+## protocols: List of supported application layer protocols.
+##
+## .. bro:see:: ssl_alert ssl_client_hello ssl_established ssl_server_hello
+##    ssl_session_ticket_handshake ssl_extension
+##    ssl_extension_elliptic_curves ssl_extension_ec_point_formats
+##    ssl_extension_application_layer_protocol_negotiation
+event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec%);
 
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
@@ -147,6 +208,37 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
 
+## Generated for SSL/TLS heartbeat messages that are sent before session encryption
+## starts. Generally heartbeat messages should rarely be seen in normal TLS traffic.
+## Heartbeats are described in :rfc:`6520`.
+##
+## c: The connection.
+##
+## length: length of the entire heartbeat message.
+##
+## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
+##
+## payload_length: length of the payload of the heartbeat message, according to packet field
+##
+## payload: payload contained in the heartbeat message. Size can differ from payload_length,
+##          if payload_length and actual packet length disagree.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    ssl_alert ssl_encrypted_heartbeat
+event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
+
+## Generated for SSL/TLS heartbeat messages that are sent after session encryption
+## started. Generally heartbeat messages should rarely be seen in normal TLS traffic.
+## Heartbeats are described in :rfc:`6520`.
+##
+## Note that :bro:id:`SSL::disable_analyzer_after_detection` has to be set to false.
+## Otherwhise this event will never be thrown.
+##
+## c: The connection.
+##
+## length: length of the entire heartbeat message.
+##
+## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
+##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 
-event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);

src/analyzer/protocol/ssl/ssl-analyzer.pac

@@ -228,7 +228,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_ec_point_formats(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, points);
 
 		return true;
@@ -245,7 +245,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_elliptic_curves(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, curves);
 
 		return true;
@@ -262,7 +262,7 @@ refine connection SSL_Conn += {
 				}
 			}
 
-		BifEvent::generate_tls_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_application_layer_protocol_negotiation(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, plist);
 
 		return true;
@@ -278,18 +278,18 @@ refine connection SSL_Conn += {
 				ServerName* servername = (*list)[i];
 				if ( servername->name_type() != 0 )
 					{
-					bro_analyzer()->Weird(fmt("Encountered unknown type in server name tls extension: %d", servername->name_type()));
+					bro_analyzer()->Weird(fmt("Encountered unknown type in server name ssl extension: %d", servername->name_type()));
 					continue;
 					}
 
 				if ( servername->host_name() )
 					servers->Assign(j++, new StringVal(servername->host_name()->host_name().length(), (const char*) servername->host_name()->host_name().data()));
 				else
-					bro_analyzer()->Weird("Empty server_name extension in tls connection");
+					bro_analyzer()->Weird("Empty server_name extension in ssl connection");
 				}
 			}
 
-		BifEvent::generate_tls_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
+		BifEvent::generate_ssl_extension_server_name(bro_analyzer(), bro_analyzer()->Conn(),
 		   ${rec.is_orig}, servers);
 
 		return true;

testing/btest/Baseline/scripts.base.protocols.ssl.tls-extension-events/.stdout

@@ -0,0 +1,13 @@
+server_name, 192.168.4.149, 74.125.239.152, [google.de]
+Curves, 192.168.4.149, 74.125.239.152
+secp256r1
+secp384r1
+secp521r1
+Point formats, 192.168.4.149, 74.125.239.152, T
+uncompressed
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3, spdy/3.1, http/1.1]
+Point formats, 192.168.4.149, 74.125.239.152, F
+uncompressed
+ansiX962_compressed_prime
+ansiX962_compressed_char2
+ALPN, 192.168.4.149, 74.125.239.152, [spdy/3.1]

testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-19-05-00
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 1, first packet server record length 32	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-19-05-00

testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-30-54
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-30-54

testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-04-24-18-29-46
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1396973486.753913	CXWv6p3arKYeMETxOg	173.203.79.216	46592	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	162.219.2.166	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-04-24-18-29-46

testing/btest/scripts/base/protocols/ssl/tls-extension-events.test

@@ -0,0 +1,26 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/chrome-34-google.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ssl_extension_elliptic_curves(c: connection, is_orig: bool, curves: index_vec)
+	{
+	print "Curves", c$id$orig_h, c$id$resp_h;
+	for ( i in curves )
+		print SSL::ec_curves[curves[i]];
+	}
+
+event ssl_extension_ec_point_formats(c: connection, is_orig: bool, point_formats: index_vec)
+	{
+	print "Point formats", c$id$orig_h, c$id$resp_h, is_orig;
+	for ( i in point_formats )
+		print SSL::ec_point_formats[point_formats[i]];
+	}
+
+event ssl_extension_application_layer_protocol_negotiation(c: connection, is_orig: bool, protocols: string_vec)
+	{
+	print "ALPN", c$id$orig_h, c$id$resp_h, protocols;
+	}
+
+event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
+	{
+	print "server_name", c$id$orig_h, c$id$resp_h, names;
+	}

testing/btest/scripts/policy/protocols/ssl/heartbleed.bro

@@ -0,0 +1,13 @@
+# TEST-EXEC: bro -C -r $TRACES/tls/heartbleed.pcap %INPUT
+# TEST-EXEC: mv notice.log notice-heartbleed.log
+# TEST-EXEC: btest-diff notice-heartbleed.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-heartbleed-success.log
+# @TEST-EXEC: btest-diff notice-heartbleed-success.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted.log
+# @TEST-EXEC: btest-diff notice-encrypted.log
+
+@load protocols/ssl/heartbleed