Introduce ssl_plaintext_data event.

This event is the replacement for ssl_application_data, which is removed
in the same commit. It is more generic, containing more information than
ssl_application_dataand is raised for all SSL/TLS messages that are
exchanged before encryption starts.

It is used by Bro internally to determine when a TLS1.3 session has been
completely established. Apart from that, it can be used to, e.g.,
determine the record layer TLS version.

scripts/base/protocols/ssl/main.bro

@@ -302,11 +302,11 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 		}
 	}
 
-event ssl_application_data(c: connection, is_orig: bool, length: count)
+event ssl_plaintext_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count) &priority=5
 	{
 	set_session(c);
 
-	if ( ! c$ssl?$version || c$ssl$established )
+	if ( ! c$ssl?$version || c$ssl$established || content_type != APPLICATION_DATA )
 		return;
 
 	if ( c$ssl$version_num/0xFF != 0x7F && c$ssl$version_num != TLSv13 )

src/analyzer/protocol/ssl/events.bif

@@ -309,22 +309,28 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##    ssl_alert ssl_encrypted_data
 event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string%);
 
-## Generated for non-handshake SSL/TLS application_data messages that are sent before
+## Generated for SSL/TLS messages that are sent before full session encryption
-## full encryption starts. For TLS 1.2 and lower, this event should not be raised. For TLS 1.3,
+## starts. Note that "full encryption" is a bit fuzzy, especially for TLSv1.3;
-## it is used by Bro internally to determine if the connection has been completely setup.
+## here this event will be raised for early packets that are already using
-## This is necessary as TLS 1.3 does not have CCS anymore.
+## pre-encryption.  # This event is also used by Bro internally to determine if
+## the connection has been completely setup.  # This is necessary as TLS 1.3 does
+## not have CCS anymore.
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
-## content_type: message type as reported by TLS session layer.
+## content_type: message type as reported by TLS session layer. Not populated for
+##               SSLv2.
 ##
-## length: length of the entire heartbeat message.
+## record_version: TLS version given in the record layer of the message.
+##                 This will not be set for SSLv2.
+##
+## length: length of the entire message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
-event ssl_application_data%(c: connection, is_orig: bool, length: count%);
+event ssl_plaintext_data%(c: connection, is_orig: bool, content_type: count, record_version: count, length: count%);
 
 ## Generated for SSL/TLS messages that are sent after session encryption
 ## started.
@@ -337,12 +343,12 @@ event ssl_application_data%(c: connection, is_orig: bool, length: count%);
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## content_type: message type as reported by TLS session layer. Not populated for
-##               SSLv2
+##               SSLv2.
 ##
 ## record_version: TLS version given in the record layer of the message.
-##                 this will not be set for SSLv2.
+##                 This will not be set for SSLv2.
 ##
-## length: length of the entire heartbeat message.
+## length: length of the entire message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat

src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac

@@ -61,10 +61,11 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 
-	function proc_application_record(rec : SSLRecord) : bool
+	function proc_plaintext_record(rec : SSLRecord) : bool
 		%{
-		BifEvent::generate_ssl_application_data(bro_analyzer(),
+		if ( ssl_plaintext_data )
-			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.length});
+			BifEvent::generate_ssl_plaintext_data(bro_analyzer(),
+				bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.raw_tls_version}, ${rec.length});
 
 		return true;
 		%}
@@ -116,8 +117,8 @@ refine typeattr CiphertextRecord += &let {
 	proc : bool = $context.connection.proc_ciphertext_record(rec);
 }
 
-refine typeattr ApplicationData += &let {
+refine typeattr PlaintextRecord += &let {
-	proc : bool = $context.connection.proc_application_record(rec);
+	proc : bool = $context.connection.proc_plaintext_record(rec);
 }
 
 refine typeattr ChangeCipherSpec += &let {

testing/btest/Baseline/scripts.base.protocols.ssl.handshake-events/.stdout

@@ -1,15 +1,24 @@
 Handshake, 192.168.1.105, 74.125.224.79, T, 1, 169
+Plaintext data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 173
 Handshake, 192.168.1.105, 74.125.224.79, F, 2, 81
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 85
 Handshake, 192.168.1.105, 74.125.224.79, F, 11, 1620
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 1624
 Handshake, 192.168.1.105, 74.125.224.79, F, 12, 199
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 203
 Handshake, 192.168.1.105, 74.125.224.79, F, 14, 0
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 4
 Handshake, 192.168.1.105, 74.125.224.79, T, 16, 66
+Plaintext data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 70
 CCS, 192.168.1.105, 74.125.224.79, T
+Plaintext data, 192.168.1.105, 74.125.224.79, T, TLSv10, 20, 1
 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 22, 72
 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 48
 Encrypted data, 192.168.1.105, 74.125.224.79, T, TLSv10, 23, 387
 Handshake, 192.168.1.105, 74.125.224.79, F, 4, 170
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 174
 CCS, 192.168.1.105, 74.125.224.79, F
+Plaintext data, 192.168.1.105, 74.125.224.79, F, TLSv10, 20, 1
 Established, 192.168.1.105, 74.125.224.79
 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 22, 36
 Encrypted data, 192.168.1.105, 74.125.224.79, F, TLSv10, 23, 40

testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log

@@ -167,6 +167,7 @@
 1437831799.611764 protocol_confirmation
 1437831799.611764 ssl_client_hello
 1437831799.611764 ssl_handshake_message
+1437831799.611764 ssl_plaintext_data
 1437831799.764576 ssl_extension
 1437831799.764576 ssl_server_hello
 1437831799.764576 ssl_handshake_message
@@ -203,9 +204,13 @@
 1437831799.764576 file_state_remove
 1437831799.764576 ssl_handshake_message
 1437831799.764576 ssl_handshake_message
+1437831799.764576 ssl_plaintext_data
 1437831799.838196 ssl_handshake_message
+1437831799.838196 ssl_plaintext_data
 1437831799.838197 ssl_change_cipher_spec
+1437831799.838197 ssl_plaintext_data
 1437831800.045701 ssl_change_cipher_spec
+1437831800.045701 ssl_plaintext_data
 1437831800.045701 ssl_established
 1437831800.217854 net_done
 1437831800.217854 filter_change_tracking

testing/btest/scripts/base/protocols/ssl/handshake-events.test

@@ -22,6 +22,11 @@ event ssl_change_cipher_spec(c: connection, is_orig: bool)
 	print "CCS", c$id$orig_h, c$id$resp_h, is_orig;
 	}
 
+event ssl_plaintext_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
+	{
+	print "Plaintext data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;
+	}
+
 event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, record_version: count, length: count)
 	{
 	print "Encrypted data", c$id$orig_h, c$id$resp_h, is_orig, SSL::version_strings[record_version], content_type, length;