From c41810a33780b1263f2e8a1b6939d398a267fa0f Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 11:19:30 -0700
Subject: [PATCH] polish script and probably detect encrypted attacks too.

---
 scripts/policy/protocols/ssl/heartbleed.bro | 65 +++++++++++++++++++--
 1 file changed, 60 insertions(+), 5 deletions(-)

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index b3f81034b0..c9a9622e2c 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -1,9 +1,11 @@
 module Heartbleed;
 
 redef record SSL::Info += {
-#	last_originator_heartbeat_request_size: count &optional;
-#	originator_heartbeats: count &default=0;
-#	responder_heartbeats: count &default=0;
+	last_originator_heartbeat_request_size: count &optional;
+	last_responder_heartbeat_request_size: count &optional;
+	originator_heartbeats: count &default=0;
+	responder_heartbeats: count &default=0;
+
   heartbleed_detected: bool &default=F;
 	};
 
@@ -11,8 +13,14 @@ export {
 	redef enum Notice::Type += {
 		## Indicates that a host performing a heartbleed attack.
 		SSL_Heartbeat_Attack,
-    ## Indicates that a host performing a heartbleed attack was probably successful.
+    ## Indicates that a host performing a heartbleed attack was successful.
     SSL_Heartbeat_Attack_Success,
+    ## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
+    SSL_Heartbeat_Encrypted_Attack_Success,
+    ## Indicates we saw heartbeet requests with odd length. Probably an attack.
+    SSL_Heartbeat_Odd_Length,
+    ## Indicates we saw many heartbeat requests without an reply. Might be an attack.
+    SSL_Heartbeat_Many_Requests
   };
 }
 
@@ -20,7 +28,6 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
   {
   if ( heartbeat_type == 1 )
     {
-
     local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
 
 
@@ -42,3 +49,51 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
         ]);
     }
   }
+
+event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
+  {
+  if ( is_orig )
+    ++c$ssl$originator_heartbeats;
+  else
+    ++c$ssl$responder_heartbeats;
+
+  if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
+      NOTICE([$note=SSL_Heartbeat_Many_Requests,
+        $msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
+        $conn=c
+        ]);
+
+  if ( is_orig && length < 19 )
+      NOTICE([$note=SSL_Heartbeat_Odd_Length,
+        $msg="Heartbeat message smaller than minimum length. Probable attack.",
+        $conn=c
+        ]);
+
+  if ( is_orig )
+    {
+    if ( c$ssl?$last_responder_heartbeat_request_size )
+      {
+      # server originated heartbeat. Ignore & continue
+      delete c$ssl$last_responder_heartbeat_request_size;
+      }
+    else
+      c$ssl$last_originator_heartbeat_request_size = length;
+    }
+  else
+    {
+    if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
+      {
+      NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
+        $msg="An Encrypted TLS heartbleed attack was probably detected!",
+        $conn=c
+        ]);
+      }
+    else if ( ! c$ssl?$last_originator_heartbeat_request_size )
+      {
+      c$ssl$last_responder_heartbeat_request_size = length;
+      }
+
+    if ( c$ssl?$last_originator_heartbeat_request_size )
+      delete c$ssl$last_originator_heartbeat_request_size;
+    }
+  }