From ffd4711a41ba0e9ea0f8cfd3097aadbe68912eb4 Mon Sep 17 00:00:00 2001
From: Bernhard Amann <bernhard@icsi.berkeley.edu>
Date: Tue, 8 Apr 2014 07:41:08 -0700
Subject: [PATCH] Throw new event for heartbeat messages.

Not tested.
---
 src/analyzer/protocol/ssl/events.bif       |  2 ++
 src/analyzer/protocol/ssl/ssl-analyzer.pac | 17 +++++++++++++++++
 src/analyzer/protocol/ssl/ssl-defs.pac     |  1 +
 src/analyzer/protocol/ssl/ssl-protocol.pac | 11 +++++++++++
 4 files changed, 31 insertions(+)

diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif
index 054d9c672f..c85e911ee8 100644
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@@ -138,3 +138,5 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
+
+event ssl_heartbeat%(c: connection, length: count%);
diff --git a/src/analyzer/protocol/ssl/ssl-analyzer.pac b/src/analyzer/protocol/ssl/ssl-analyzer.pac
index 49104fa549..e6ea1628a1 100644
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@@ -306,6 +306,10 @@ refine connection SSL_Conn += {
 
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
+		if ( ${rec.content_type} == HEARTBEAT )
+			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+				bro_analyzer()->Conn(), ${rec.length});
+
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
 				orig_label(${rec.is_orig}).c_str(),
@@ -320,6 +324,15 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_heartbeat(rec : SSLRecord) : bool
+		%{
+		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.length});
+
+		return true;
+		%}
+
 };
 
 refine typeattr ChangeCipherSpec += &let {
@@ -339,6 +352,10 @@ refine typeattr ApplicationData += &let {
 	proc : bool = $context.connection.proc_application_data(rec);
 };
 
+refine typeattr Heartbeat += &let {
+	proc : bool = $context.connection.proc_heartbeat(rec);
+};
+
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version,
 				gmt_unix_time, random_bytes,
diff --git a/src/analyzer/protocol/ssl/ssl-defs.pac b/src/analyzer/protocol/ssl/ssl-defs.pac
index c35fc56e85..23fa7abce5 100644
--- a/src/analyzer/protocol/ssl/ssl-defs.pac
+++ b/src/analyzer/protocol/ssl/ssl-defs.pac
@@ -12,6 +12,7 @@ enum ContentType {
 	ALERT = 21,
 	HANDSHAKE = 22,
 	APPLICATION_DATA = 23,
+	HEARTBEAT = 24,
 	V2_ERROR = 300,
 	V2_CLIENT_HELLO = 301,
 	V2_CLIENT_MASTER_KEY = 302,
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 9368122eaa..c12130abf8 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -63,6 +63,7 @@ type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
 	CHANGE_CIPHER_SPEC	-> ch_cipher : ChangeCipherSpec(rec);
 	ALERT			-> alert : Alert(rec);
 	HANDSHAKE		-> handshake : Handshake(rec);
+	HEARTBEAT -> heartbeat: Heartbeat(rec);
 	APPLICATION_DATA	-> app_data : ApplicationData(rec);
 	V2_ERROR		-> v2_error : V2Error(rec);
 	V2_CLIENT_HELLO		-> v2_client_hello : V2ClientHello(rec);
@@ -225,6 +226,16 @@ type ApplicationData(rec: SSLRecord) = record {
 	data : bytestring &restofdata &transient;
 };
 
+######################################################################
+# V3 Heartbeat
+######################################################################
+
+# Heartbeats should basically always be encrypted, so we should not
+# reach this point.
+type Heartbeat(rec: SSLRecord) = record {
+	data : bytestring &restofdata &transient;
+};
+
 ######################################################################
 # Handshake Protocol (7.4.)
 ######################################################################