From f0b244b8b0a3525c38469985557029ebf14139fb Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Wed, 14 May 2014 15:42:27 -0700
Subject: [PATCH] Add new features from other branch to the heartbleed-detector
 (and clean them up).

We should now quite reliably detect scans/attacks, even when encrypted and not succesful.
---
 scripts/policy/protocols/ssl/heartbleed.bro   | 151 ++++++++++++++++--
 src/analyzer/protocol/ssl/ssl-analyzer.pac    |   2 +-
 .../notice-encrypted-short.log                |  12 ++
 .../notice-encrypted-success.log              |  12 ++
 .../notice-encrypted.log                      |   6 +-
 .../notice-heartbleed-success.log             |   8 +-
 .../tls/heartbleed-encrypted-short.pcap       | Bin 0 -> 4294 bytes
 .../Traces/tls/heartbleed-encrypted.pcap      | Bin 0 -> 6117 bytes
 .../policy/protocols/ssl/heartbleed.bro       |  10 +-
 9 files changed, 179 insertions(+), 22 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
 create mode 100644 testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
 create mode 100644 testing/btest/Traces/tls/heartbleed-encrypted-short.pcap
 create mode 100644 testing/btest/Traces/tls/heartbleed-encrypted.pcap

diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro
index 5c5333a7a2..63fc2e72c9 100644
--- a/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/scripts/policy/protocols/ssl/heartbleed.bro
@@ -7,11 +7,11 @@ module Heartbleed;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates that a host performing a heartbleed attack.
+		## Indicates that a host performing a heartbleed attack or scan.
 		SSL_Heartbeat_Attack,
 		## Indicates that a host performing a heartbleed attack was probably successful.
 		SSL_Heartbeat_Attack_Success,
-		## Indicates we saw heartbeat requests with odd length. Probably an attack.
+		## Indicates we saw heartbeat requests with odd length. Probably an attack or scan.
 		SSL_Heartbeat_Odd_Length,
 		## Indicates we saw many heartbeat requests without an reply. Might be an attack.
 		SSL_Heartbeat_Many_Requests
@@ -25,14 +25,76 @@ redef SSL::disable_analyzer_after_detection=F;
 redef record SSL::Info += {
 	last_originator_heartbeat_request_size: count &optional;
 	last_responder_heartbeat_request_size: count &optional;
+
 	originator_heartbeats: count &default=0;
 	responder_heartbeats: count &default=0;
 
+	# Unencrypted connections - was an exploit attempt detected yet.
 	heartbleed_detected: bool &default=F;
-	};
+
+	# Count number of appdata packages and bytes exchanged so far.
+	enc_appdata_packages: count &default=0;
+	enc_appdata_bytes: count &default=0;
+};
+
+# TLS content types:
+const	CHANGE_CIPHER_SPEC = 20;
+const	ALERT = 21;
+const	HANDSHAKE = 22;
+const	APPLICATION_DATA = 23;
+const	HEARTBEAT = 24;
+const	V2_ERROR = 300;
+const	V2_CLIENT_HELLO = 301;
+const	V2_CLIENT_MASTER_KEY = 302;
+const	V2_SERVER_HELLO = 304;
+
+type min_length: record {
+	cipher: pattern;
+	min_length: count;
+};
+
+global min_lengths: vector of min_length = vector();
+global min_lengths_tls11: vector of min_length = vector();
+
+event bro_init()
+	{
+	# Minimum length a heartbeat packet must have for different cipher suites.
+	# Note - tls 1.1f and 1.0 have different lengths :(
+	# This should be all cipher suites usually supported by vulnerable servers.
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_256_GCM_SHA384$/, $min_length=43];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_128_GCM_SHA256$/, $min_length=43];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA384$/, $min_length=96];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA256$/, $min_length=80];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=64];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=48];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_256_CBC_SHA$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_128_CBC_SHA$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=48];
+	min_lengths[|min_lengths|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_DES_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=40];
+	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
+	min_lengths[|min_lengths|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
+	min_lengths[|min_lengths|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
+	min_lengths[|min_lengths|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
+	}
 
 event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
 	{
+	if ( ! c?$ssl )
+		return;
+
 	if ( heartbeat_type == 1 )
 		{
 		local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
@@ -40,18 +102,27 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
 		if ( payload_length > checklength )
 			{
 			c$ssl$heartbleed_detected = T;
-			NOTICE([$note=SSL_Heartbeat_Attack,
-				$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length),
+			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
+				$msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length),
 				$conn=c,
 				$identifier=cat(c$uid, length, payload_length)
 				]);
 			}
+		else if ( is_orig )
+			{
+			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
+				$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
+				$conn=c,
+				$n=length,
+				$identifier=cat(c$uid, length)
+				]);
+			}
 		}
 
 	if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
 		{
-			NOTICE([$note=SSL_Heartbeat_Attack_Success,
-				$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: %d", payload_length),
+			NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack_Success,
+				$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length),
 				$conn=c,
 				$identifier=c$uid
 				]);
@@ -65,9 +136,26 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 	else
 		++c$ssl$responder_heartbeats;
 
+	local duration = network_time() - c$start_time;
+
+	if ( c$ssl$enc_appdata_packages == 0 )
+			NOTICE([$note=SSL_Heartbeat_Attack,
+				$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig),
+				$conn=c,
+				$n=length,
+				$identifier=fmt("%s%s", c$uid, "early")
+				]);
+	else if ( duration < 1min )
+			NOTICE([$note=SSL_Heartbeat_Attack,
+				$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %d", length, is_orig, duration),
+				$conn=c,
+				$n=length,
+				$identifier=fmt("%s%s", c$uid, "early")
+				]);
+
 	if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
-				$msg=fmt("Seeing more than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
+				$msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
 				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
@@ -75,7 +163,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
 			NOTICE([$note=SSL_Heartbeat_Many_Requests,
-				$msg=fmt("Server is sending more heartbleed responsed than requests were seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
+				$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
 				$conn=c,
 				$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
 				$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
@@ -83,12 +171,38 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 
 	if ( is_orig && length < 19 )
 			NOTICE([$note=SSL_Heartbeat_Odd_Length,
-				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d", length),
+				$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
 				$conn=c,
 				$n=length,
-				$identifier=cat(c$uid, length)
+				$identifier=fmt("%s-weak-%d", c$uid, length)
 				]);
 
+	# Examine request lengths based on used cipher...
+	local min_length_choice: vector of min_length;
+	if ( (c$ssl$version == "TLSv11") || (c$ssl$version == "TLSv12") ) # tls 1.1+ have different lengths for CBC
+		min_length_choice = min_lengths_tls11;
+	else
+		min_length_choice = min_lengths;
+
+	for ( i in min_length_choice )
+		{
+		if ( min_length_choice[i]$cipher in c$ssl$cipher )
+			{
+			if ( length < min_length_choice[i]$min_length )
+				{
+				NOTICE([$note=SSL_Heartbeat_Odd_Length,
+					$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher),
+					$conn=c,
+					$n=length,
+					$identifier=fmt("%s-weak-%d", c$uid, length)
+					]);
+				}
+
+			break;
+			}
+
+		}
+
 	if ( is_orig )
 		{
 		if ( c$ssl?$last_responder_heartbeat_request_size )
@@ -105,8 +219,8 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 		if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
 			{
 			NOTICE([$note=SSL_Heartbeat_Attack_Success,
-				$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d",
-					 c$ssl$last_originator_heartbeat_request_size, length),
+				$msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f",
+					c$ssl$last_originator_heartbeat_request_size, length, duration),
 				$conn=c,
 				$identifier=c$uid # only throw once per connection
 				]);
@@ -119,3 +233,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
 			delete c$ssl$last_originator_heartbeat_request_size;
 		}
 	}
+
+event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
+	{
+	if ( content_type == HEARTBEAT )
+		event ssl_encrypted_heartbeat(c, is_orig, length);
+	else if ( (content_type == APPLICATION_DATA) && (length > 0) )
+		{
+		++c$ssl$enc_appdata_packages;
+		c$ssl$enc_appdata_bytes += length;
+		}
+	}
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 8d62245f6b..2c242eb4cb 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -366,7 +366,7 @@ refine connection SSL_Conn += {
 			}
 
 		BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
-			bro_analyzer()->Conn(), ${rec.content_type}, ${rec.is_orig}, ${rec.length});
+			bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length});
 
 		return true;
 		%}
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
new file mode 100644
index 0000000000..a3812210d1
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-05-14-22-40-47
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1398954957.074664	CXWv6p3arKYeMETxOg	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.074664	CXWv6p3arKYeMETxOg	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	162.219.2.166	4443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1398954957.145535	CXWv6p3arKYeMETxOg	192.168.4.149	54233	162.219.2.166	4443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035	-	192.168.4.149	162.219.2.166	4443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-47
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
new file mode 100644
index 0000000000..95960e7e5c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log
@@ -0,0 +1,12 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2014-05-14-22-40-36
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1397169549.882425	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.882425	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Odd_Length	Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/	-	192.168.4.149	107.170.241.107	443	32	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-37
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
index dfe9dcec74..db96ffeeaf 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-30-19-34-39
+#open	2014-05-14-22-40-26
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1397169549.895057	CXWv6p3arKYeMETxOg	192.168.4.149	59676	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An Encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416	-	192.168.4.149	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-30-19-34-39
+1400106542.810248	CXWv6p3arKYeMETxOg	54.221.166.250	56323	162.219.2.166	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1	-	54.221.166.250	162.219.2.166	443	86	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-27
diff --git a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
index 9722e20655..d96ddd42e1 100644
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	notice
-#open	2014-04-24-18-30-54
+#open	2014-05-14-22-40-19
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
-1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368, payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
-#close	2014-04-24-18-30-54
+1396976220.863714	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack	An TLS heartbleed attack was detected! Record length 16368. Payload length 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+1396976220.918017	CXWv6p3arKYeMETxOg	173.203.79.216	41459	107.170.241.107	443	-	-	-	tcp	Heartbleed::SSL_Heartbeat_Attack_Success	An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365	-	173.203.79.216	107.170.241.107	443	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2014-05-14-22-40-19
diff --git a/testing/btest/Traces/tls/heartbleed-encrypted-short.pcap b/testing/btest/Traces/tls/heartbleed-encrypted-short.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..91942d52bb89b4d0fcc4f3be706f2a78d48cd34c
GIT binary patch
literal 4294
zcmaKv3p~_W8^_OoW(?!bAi4FATw?H_8rM`4$|dbumr7fkF$NQ6G&7P~xfF|a>7t8W
zZz;V(HY&B2t!BGQ+EltQ(pIdNEqW`qMc#8*a%uDVJfDwq=A7^IoagzSXU;TTI(3)?
zC}8Ywco+Z-4jR4;@!v5^8GHu+M+VH&JF}BZ@G#H%FBHI10N6)vumPJ2fV70N_lS&C
ze79NS%Z?2XZ==PPq~YNWuK*xX<f<?-nSx;oiZschR`eN#G)muZuL8W`7}+Ry)W-<j
z1v&ssYTFPZBM%y1-fh0v`;`OqaHmkyai^BmD4jx5P*iT(REy})6B)&=>7W8!Ar;xQ
zxLLB@AC3DCq&p_5<5n9wU<O9wU2KBLh*;#L0?c4qkWD3Gy8iK>AnM{)k=G{^b;uZa
z3`sIFwyB%5wSZbH7@EDvU0M6cOrHdMa^F>(_7!u?t)BL2rUDQl)siYojis}J6L19S
z;2Wu$R1VmI9a2rHg495&4|D)ssv;!=MJZiMlg^SFf%#w__zvX5GPz4tr4(Qb_JJip
zUaBFLmnut1Kn@mM8)yO=&;lAj0Z;)M43l6)UO)*@$N(b&MZkg(RiFZ9!Z~H23l}Rw
zS2ISI%fpS@5F!U5bf^~+1gHUZ2s42RQiJ(JSsVIXb-WJKD$KHYiz<9peM*HLJ2o_*
zO;VRXAUZLcHCTh2G|6I<n~*pF>0NT8HkByXYSD*?mEr$JOyG?ZTM-e}!5OO2o{Y)g
z{582W>-ECiVek2;4jvCKjLUJKv%+=z)>ZF?*}o3#1u*kKbr?f;W9*1<JJm}GP?rL#
zE1)hWQm6}v6giVZG6^G*$jah$LWN4RO!G|ZSHUnPIY1<5F_j1!l^jT+(n(%EOdUcC
z4HW4r{t}Kz;wFs7eI%haOe<n8npdJ5`}4T5A|CF}59dobQMemVB;kkgxf}@(_veQT
z_=0ezBVmsglj*kO5Vt6fSd24qUlBi=BZ|kp1QMPonit9+*~b%Y;)!s#C4|uo73O><
z!L%bB?HpK6Yv7QDhV$kzotXA(h|eZO8|cr}C3Hp|sl~;`*+lW9IB~oviA^YvX-b%k
zAC!ja=)?%cl4y<?I%Q8-Mx<cI6ElLz0dfka2H?CRDFws8kM3cY%Dm162AAEu(ea%k
zO*!QupLlfcyO+&Lt)5Pn&e2Z|hA#{RWLU9R^_cHjdwJj0vg_5F>PNLxoBr6AS{j~R
z)}Ct35ANQ!pxg0pza4GhL5<_C)U5BHSli_V==hwt!4x^_o;On{*nG`u^^HI2MV)nY
z=FsKAG>>bqaSgLJU+&3;18Wjf<Mq$rb#VqEL7RH@t?>WZ*AyvqwJ_>KB5xhD&e={Y
z#fG+ie)IQtvHM$sGVT1D%3?d#yHd^D4c(5WU*<(6=qsG#bsG<#zUt%q`~i_Yclpg#
z%gGn417-PJpJ-kGvAU_bZeZQP40Ah4%}ITmzFL3!e+%NBE8F8pP>xtp3h4=vLV7f!
z6GJ+ML;ykw=G{<@LLrmLB?KJ}OexBQB2~ePipj~zlQF^&O{!9KC|VV%{M9tt?8lGf
z-q&BL3tf7k_|hF>7W&wP0xOuL)$Ph^JWzT3&>Q_oh5m+6n;uohQo<Z9(4gRiQOeZn
zrYKFW;Yzd=r=(yjVBx$71u8W>Ss5c?aI}D`1S6tg$!8oe5*bcd5;kK&k}w_P2#F-d
z+13`xM~nn77Dw4|h0(S#!YDpB-X<nAj7aVu-#{Xgy9jd~{DZ8=)z23S@FlU52%(5C
zi6`KF!}OBR2So72ICp#v50B%BalTj_%L~OhT&_?Q3a<+;5#o{v9zJ$OR&t{Fp&SVU
zig+7i`66C4PaqNF!myELAAB#tN26rGby0kdfXl;$f~a^rOeh*z$%l7L5DHzz#EPK)
zc{pEy!?VSVtsUjTz40iD7<l@4To@9?4<B(Zwju0LUT0Bk2nJzUXi;dEHs_yoaYa#+
z)5R4@nAT_(8j+kcmM{#XBqtMzgwxmrfu&jh!w_=CF_R(U*brMT>Jv;`@kmFo<#Gtu
z@vWpZ`+v4__?*c*QHsU3aKFvyew)$#He3!2NCH~{JclO5fY3|R{kMWoYy+?{!Zv^b
zE$0P7+pM;F!$X@wxHmF<4{dF}Q~WFtH`)_|IzMW>7h$hPHnsDUsx10Z=Rch@x$|>>
z8~HBLl|SIUWpd{ansbq+>iTZK-?5%Ig7UV6bZVbVf#BA$x^;f~6_KPTih^xTUl{p`
z9UlGV9_em7_i$1D<INS4=ly1_ul(aRC1i<g-%PeZxkI+}P;Yr&v)O|6nW;N2KRgn+
zo@b%#OO^X2Zdt&y6LVYC-nnhgto+7)$LgeWPfyu-i+rwkF*4nyxFB!GZwJ%wH<^<2
z1GTH1J6NuU{)R;h&v|Sqo?YX<*NElz?oelRq<YA=+F5VEddll*QjA!cd%>z9+DLJK
z_k)v(|H*v#qU*`;KRp)P>s5FfM!(comzHYPy6*a`hTEpSFe;h}zn`#dWq@S>cFSrP
zo#s^IjK=ngSfNk-?nlcz=2ue&)L!KE6lA)SU#wc@dzYUtoBLpsdE}A1O`1=2-#ju>
z@acO97Jcm@c|IS#2-wv@rZZ1awd`NaQK?{MmCNd%8@|-L%XV?~Yq^pMJQ}p6oiv4}
zXURveHQrOkho4{WFZU=K;J##S*|}`(CS4s2q*^p(AM0Q3^7Z08!C;MPpQ^+tJLd-j
zJhk2ZHR<bJ4UzHY=d3;ahdfH29tvux)4os4spae|*k1KImOi6=WAq+xgD0zeBqdED
zrs@4Xwz-YLjqKO6EWfRucjfM2VZG+tNE^GL2e;irlpb7TuTuLt&`mGx4fpNOi_BVs
z9WR?EIu{6xghP}Ue-y9n%6Q>+xab-)_-MSSdExn5JM-JYGgtdIx%h4M6*6e0Gu|o}
z54gVk-~0FG{yzb$Oj*@)#t!+Ic|rl%^3<SQYm4t0y##Y&Tc0c?U$|3qrcWCy1wYPs
zxhyX%YU%mh6XjQ*m8Qz_56hc1vOj;wsEu5gZq<Mu928afhCzx>go;KlRAf`%lz^3k
zf9y@!eD-2*Sa6d1tkMau)MN04)QX5s@&MF97_w=^8i(Rf5Or}789Dw+EkQ&S>@sx}
zAA23axOXxrc28WSlHZH^M=on)4&GPM^_1PLyUi9@q@M6&$lcF!yp`J&|191Aq(^4<
zl7c<SZvuCJF?@RSt?WC!TIib%LqI|~CGq`W?~42-gxk-{8EOT25qraylqi+`k+ket
zdhDXo3--M;9As@ZrSTW-ORCQ1p>u6E#Kto<_3i_f#a|=uNR`QVKP<RoLyJq2x`I)}
z-SNBM17Ce5h`41o1{g5^$fgo8Ba3&4c*gjnL|p}=`I?i7=wM~=CsZ*21~@28pxI{J
zxe~zb>Y3lOTqiLh{7B2LtlMiYeH-EVTSm}^EtWrc&zYNZpBmR$@had3<Gi{ZZLRT}
z+Xt_57Ew3Ka@m)<d~DC3NH5hATkP(4RCOF^_ivP*ZugYWkNtZcc7C99W>d)bt8c7P
zGAv)(>6PL-kX&H7KCbfGa6`smQgfX8?u2Tm$m$iDCDl?p9^J_FmqO0*y05CP?Y4Jf
zI#<YCCsd=|qLIN0-p5}%W6MR2+QI7OKX$L3(H$tt36e7uchO174}OaFRPU>*Hm5$#
z%{Z5ea>p?KP>pFSV-+cVOl2)D7kk6Kp>AJI&}}bNSq~zXm|!3rN*38PVi5Q2Cx}S5
zisQN+A?m_v;P>8Xz1osipKI^kd5qMbP@F5n^(q3~cV=gl{}A~yJ`%Z2bR>Z|=n>ge
z5dgl$-y<TpKUoCf-cVMYBq)M7C>``OQMoA&gR<&HZi(7^W`_tJ^-6}_?<*_yGQD)I
zmk-G_zVCRyho`b4e3eC@w~29TH}}uu%rZ{?<Lw(!7#2>Xadl5SJ?nAXM^Ddz`AmfQ
z9Q=?^wmk|35$`Pg6fwa06GROhOdvXp5vBg*@ffG2ie)h{asw5oq$&}nDkMom!6>X{
lJXLg>gzbQ06bF7FPCvE5;g7}`0#BU;f1^)~F#*O%|3901`|bb$

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/tls/heartbleed-encrypted.pcap b/testing/btest/Traces/tls/heartbleed-encrypted.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..dc32d689a2b0fa0ead4dc35f431e7a651c4786ce
GIT binary patch
literal 6117
zcmd6rc{tQt{KvoFnK8D(Sh6N#=_b|qP7NutWQovX3ZXQ{U^0eg2B~BxWJ&6_$`Vr1
zrgB?c)lDUYZWJLTOI=zi6~FTxaV^z-e$Vs!<2TQ9o}AM;uk-$V&N-jY`JTUTU&z8h
zIB4uQG6F#`sF3@3v}d~F&`R((TA($K@f-_ihJt=PO9ZlnAS2>{DKrQFr=Nav-cWWE
zChr**zSeWG`zhKv6T>C$NQWQ{PN*1%5fLNDe$qwTVJub{B`YBl$j~MTju_>Sk|D?x
zGR0qEpj4C&UwejasST9`^u|mXgVd<Ff61!f)`y~WK*plv+AwiwIhYA8(==0wg96R`
zDViGrT`HUib=s)_jj%v3RX_&BfN*i>F@T|E8u2di6G|+7{zIZ7)Ok;OGEp82L&?Cw
z30UkC<Xg-=`_vh`Zl7aC*)oR?ME{ZZetYLyjryfs#O^mz5TsnDTQ;vux=grCwoJ54
zu1pLPf^;FhG8sq=AXWf9Gay+AA_fNsli4gbJ($VnlQ~R2=q7|NA_R#+A`l)@fD|Dm
zNF2g|MhUbH2jj397=s;w!D6Fs+YXEzciYqjp=u|g3zFP2WkIBRF826^6NL{(g^d~s
zTowrygNhOzlEtAkaY#_0DMayT?PQb~mGm=W^22dr6iSrGVxf%~2-<+f(s+I3?AJ7B
z!qV`@(;j-mUA~*l4_(dqc&MK4JG6fI3TZIeuWUf2Celu7YZsYDR_^WCzZRnwrc!&<
zRw2N{L%0lVMX)LmB(NU11&4)T448osD-IDNAwn30H$x)v%aBN+*_o)HFj%RO2Z#h-
zR43Ltc2EL_#f2awVh=?e5yfNI<M6T=8#{_TB8OJQWF=^PI+t(m??<xZdy*;hkhy5P
zxU2?^$q3{!Nfs<`7N5>0nKQY3mKTdb=QBw(mN$pR@unCc`e<jYtnN6(oK5HPNEFf<
zF3XS34I$ZZ_)M-J(~~6_$K(bvxg>KlWR`*ig^Da%gdj^6E}`hTfT|v-Qjo<IJ-vl4
z$f^ly*V8CUh{EVZ(>4!93(*+2R1}t<;mPCxk)D2jbQar`&Sm&>$(~Fk64sdL5m*Sq
zM#54MXcxmo!Z1{{+~D`ucd!TAyq_&vr(W@U{+yY2vPDn!$J69!E0>16c_~_)lmW|_
zxG(aL>n_r&^Rbd{y;&^n{p?cda_ZeptAjKK>o4fQ#z$Y&4$N$KI{LAC@u8!ES;vM<
zb`RwsVK)1nA2s)Wo&8*8?LPVXi0$@CoTS8bW1n13eDK<ZP8!#}W*Nv~H56{_xvxK@
z-Kb!1n6K;CC@bsPZ{)Ns3wazym|eQLTDj?V0!`80#1}t6)!B61E&6fV@yc&2dJ~*C
z6>r38($X&p{d1XKx+kt8xX-=mw5ji_oB_=ffA6g4roVA+`D&7koVRw12+wRj%8<QM
z+wX2M;M2e*mMF!ZZ^eLv4(CK-I*>?At6-m~%Hl8xgop#bt4iU(0mPm}WYNlO903u-
zi_F8rLPEk=7*RzVC2{gNxp!?r+Y1ZAJmwp>uV|BoBjq=79T7G3zcq1+h<v!*tL4<1
zgXc~k|DfV4GFa(J?w6czDcEnS(l`x-6gh2mBMB1&1z0Udlt#iu!uFtIgNWeq-Vp>C
z1B03&UL0t`!4a1hgIEC?bP)2GObjfq;lt+#EY;OTqYn?=@;n}!%<%Wq4e)2P7$M{U
zPcI~5aC`s;iReY<$dmrv*yH=3<<B9R1@e9Txh#GN0!|#P98tQ?hs7f?#``cy!E_#p
z#p4AsJxO#1*oB_pz>xU<B)$)mG<HZF>1>uKosR;!%&mbeF4K?6;qyrTUV?7_&TU2-
zRXHE@W3%WS29xB^VTX{s{JDajEO5#=o?xngKyH9Pk4a*2NWiv$vA&}`Fg65L5df?Y
zA^Cf-S>A%ld1OQn^{X0=jLb)LGPN^*i`Dw>E(Vu9*<B1SpRxdL1qF#n9&;EB<02xE
zFl5PC0|Lh`_|EWW@B$`7c!3_e3^Y<uba{f9pv#~m%g2XeV)efdrL*XhN1`s~>4Nd(
z(edQb@ni-a2;w7}s2wu6nTT?%;?EX*Vjuva5d;Dla`kSKJGd@qKkX{nOQk?<gmJ2X
zv6Lv{;-SQL-9|QPjA36w3T9gtLQkBt%(*8t?cbKTRBmW;&x;GP*Wf12I2ScP)7`N8
z!J|@*0>xOR+L!Fl@k*a=5N5kMo9q!zH*7i_bf(&|{bghL3RR7ZDe8re_In=5T+a>?
zv!*Gw6s+ExC6w^B#5CDrb>s78LbnUA-1s*8YS@9(#pQLXwyiJvuI)EdOm|F^u-v`C
zX60ZmV)e(O1z3aohZ$!G&5P;tTyNd~^G%b+ky}I7n8U(Xd@*|IxLI@8bwS4*cK*XO
zi8S$ksz<T!FzE5wM0n$>-E0$Isv?rd-m%3;@r8n_>&H|GZvb)#6^X>n9L*uH;zTzI
zfeaElAte7_C6Kwu9I#*@f&BM50~rG(2V^02A)-g6EJicN#OnXI1ovMF=W=}cnSN1+
zZNg{L7&RX(6cwYx9o6<0wZ#oBTvPmL1^&%TVfO$@;-G3-HBp}$<06%ICaV05vxCW1
zgYK_g`C9F!c_Kk&X`BolKYJ4nog~(@p`|XAanaancu0M%VnY>@_m42gFd(k@^U$ll
zNFyQtw80b4#E@D0c*DXK4esH`G@KoZ@QsOanyhm#be{A^)!lf%wJE?wTk5QfL4c)<
z31VMmcvhiP>Op3~M(b1O>1!TPtBl-ki+2;t_8fVG#d-{1U>kEK`(~Q!+_#o=TJje~
z{T}h={J7zD`yJFAj3_ck!n(>bb2mJ0PceS;_+(o{0Hxrsix1EG(RA@2^1mk>xDW*D
z0z?Wuwz4ohf)hfp;2%U1ZID76(5oMQLX!Dm4w;x_R*Cm3pD=aJRba&-6;vPd8ndEz
zh}T$b0ddL&aR%G&djbPtO68|v3IwGE;~g=v>OYGpJTKn&_~VM|R>Q4B9FRGgvokgS
zdklL@$7um~3=X1gI7%nsLXco2aALND5wHJsuA`0_26ChJ&kRHJ%Gm8qkRd1BDnU%Z
zMuI!Kx~PqD?rzR=@kHxJihatUqf>U<BM+yZOOEejECUTY*QntVUuL=(cR@ulHD5+Z
zSkDKAn6~o0+)p|7^)20%CRqvD9Xl82m#<FItN&2X!S85RfBMjI<N=~#GaQe5AJcgX
zy`j5-8~Rc#Bq&pF=-Bz%spt(ov19TLeYd;d&aWtZFgAGd4gGDGT6bWoee-9l!R6FJ
zOJ{<#MD)4x#*N0G;f$`f#`XJ4`7?KXwU=9cX4m=^p*ue0O4!WW-#sXEvvMRTZ}y6s
z_knt)zh7~de|5@joBwMXa<&&|Us-_Zcyk#iGk~0zUY5Gb(X-*1k-0l>Nx$vcxK{(i
zKD#Zry>-IntaCTB68jZw8tCUOt=$bt>OHO(DnB&zP(F&!pc`&a?|Aj}dRThVmJSb(
z11CLqmc+e3v~X8iwnOQ)Pt1q+-yvTUZ{Er~(BK~5=0*+wn6g4xw|MWL=d*XY+q%@a
z9@mN$TI<5XGR<wa-g)kyPW2s7c~WrBZWrxUigjznqD$68`YV-bd5Z`&@l`f6s^Td|
zsb$;-rmcfsf|azzAIp-pnR&(`8EzsLa|_SuNt4xAmDF_+jW<R|UA%qkMP2zfQCq%f
z^V^G$l#IhAvc;9&7<Apab+%oziQaz9jYEpJA!}~A;BnKk`1skx{I?p0pF-PHYql$W
zS!vf%7wWz;3j5ETdd&>qq~Z<PPy5-CbDIN|j7;o^N&VLX=hPKN<)5r}%?BShuss2S
zZLpAn8SdzTcZ@8PF9Dz8o>m)Ib-b+WYfbOdwfaq8#VemtY_{h<rr)+zD0uUIZbNQt
zV<XkRraePH+w1bkAHu9XzK!#6AieLaAd0PhP%O3N-~*Gjx*p0~Y_893tE^PJydyx#
zMwVsmVn-h~Q%KPDaL%iEa{IMT%8|3ttK`(GB>OV%ygX5Ml6|xKR&;|;)zzgJtfX5)
z3Ws~MW6X+UPyCjb7_M?Td!I)qT>egC{qGh^`ws0D|GW+#bXziMk#dFR-LHmL&%YEX
zxK%v88Q-~0W_4RMB3-(wt5sU&^!>NpYKsrY)Qavd$=B-7$u<71F}yuhRe9(2SRuW8
zc4u7L)9FZ^ZfeNO8~a%J{T~^0;mYBKu1mW)mKxiQLuC+!dvRHX<+c}MJSi`~l^o6A
zYl0YFp0$gw)N-%%@1CvO4^jxbqU_EK2e+Xgq&P|N5s99pp3f7$o~J&PP>G)fj}F|)
zPXs-FEwzzXz@x(#%j=^j34G@ofiLJNl!zVrC2>eV+&Z1O+dZ5JKB~S=CyM-<_(ebr
zm`+S|0z_@2{^`UZ5dxG1Jb;#I4<lj3uL7dh4~dGf_QSz(;xg1~)S*^H@Ni>>yR^;I
zBOxclWA&ZWSzGY0+lz=uPCg}Pq-sHJMGW~<98IfpO=s@0Cvn-EubVt=#&!kyU4!w(
zS2QXV2!RI%`KSY9fH-TQ3oX;cEhT;vi1V2uuB4?Fm<z;d?VT)64v2$clp7DY{s4)V
zX<RySSim)%!Yv)+76wh`qDE_@B=mR0b#n&mR@a6Pf0?DkrzaURDyyBlS%X_MH{6Cu
z8%v$g={v#nzj&wFD|n}AoE)<goj}ZfHRYWq5$v{QC~=(x0SW}Oqh)FqfV{QS1jM`_
z5<wP-x-e=GSU~}C)KLPnW|2%&_vz#mil=Rx)zxvQy25bTz*d^N%tQ6weVN-HxU=<4
zLt9(j+))uC8wt=cFg;qPc{PPNBJis86tBJlUQIw(Yjf+kSIto&iomOmC<*-F;J%Rq
zRYXivuNC3RD*MyRoJx#T@E2t%^FAAMPQ|!0PCJFZo-aAm*r4ps%9Urk7@Ob5)<ls0
z&Rvu8xpMpC_GO_K*+b-y+Aasm43^wYN5x9M`{f$!6L{>&6ptnJT<o=)vId928kkc6
zQGF8uq64vLnPxss8WNaqH`)ANt1<KEk3TVfp#bv_&j98tqa^Udd@M}7!^_}#-gv9^
z>C~3>*tKHlgl1sEUu>gvfe8&iFo8MQ1m|7k*e?{6sNw!g;(h_K{)a^Ai4TbX5}y_R
z(kZaODYjFb!URr9ME3-pHMS?d=&OEn-ZjxF*piW?x6~ubdXI(T>Ms;Pchgf*6F!0o
z^?}dOGVLU2S1X|=^lY4BLL%CC4R}9);R``1Wf)M#T{|roNMi)DSyN<33uH^f+ImHk
TWuru)qF?G#7U**Om9GB*i_(ve

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
index 4a980bb895..52137adbd0 100644
--- a/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
+++ b/testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
@@ -6,8 +6,16 @@
 # @TEST-EXEC: mv notice.log notice-heartbleed-success.log
 # @TEST-EXEC: btest-diff notice-heartbleed-success.log
 
-# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted.pcap %INPUT
 # @TEST-EXEC: mv notice.log notice-encrypted.log
 # @TEST-EXEC: btest-diff notice-encrypted.log
 
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted-success.log
+# @TEST-EXEC: btest-diff notice-encrypted-success.log
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-short.pcap %INPUT
+# @TEST-EXEC: mv notice.log notice-encrypted-short.log
+# @TEST-EXEC: btest-diff notice-encrypted-short.log
+
 @load protocols/ssl/heartbleed