Throw new event for heartbeat messages.

Not tested.

src/analyzer/protocol/ssl/events.bif

@@ -138,3 +138,5 @@ event ssl_alert%(c: connection, is_orig: bool, level: count, desc: count%);
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert
 event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count, ticket: string%);
+
+event ssl_heartbeat%(c: connection, length: count%);

src/analyzer/protocol/ssl/ssl-analyzer.pac

@@ -306,6 +306,10 @@ refine connection SSL_Conn += {
 
 	function proc_ciphertext_record(rec : SSLRecord) : bool
 		%{
+		if ( ${rec.content_type} == HEARTBEAT )
+			BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+				bro_analyzer()->Conn(), ${rec.length});
+
 		if ( state_ == STATE_TRACK_LOST )
 			bro_analyzer()->ProtocolViolation(fmt("unexpected ciphertext record from %s in state %s",
 				orig_label(${rec.is_orig}).c_str(),
@@ -320,6 +324,15 @@ refine connection SSL_Conn += {
 
 		return true;
 		%}
+
+	function proc_heartbeat(rec : SSLRecord) : bool
+		%{
+		BifEvent::generate_ssl_heartbeat(bro_analyzer(),
+			bro_analyzer()->Conn(), ${rec.length});
+
+		return true;
+		%}
+
 };
 
 refine typeattr ChangeCipherSpec += &let {
@@ -339,6 +352,10 @@ refine typeattr ApplicationData += &let {
 	proc : bool = $context.connection.proc_application_data(rec);
 };
 
+refine typeattr Heartbeat += &let {
+	proc : bool = $context.connection.proc_heartbeat(rec);
+};
+
 refine typeattr ClientHello += &let {
 	proc : bool = $context.connection.proc_client_hello(rec, client_version,
 				gmt_unix_time, random_bytes,

src/analyzer/protocol/ssl/ssl-defs.pac

@@ -12,6 +12,7 @@ enum ContentType {
 	ALERT = 21,
 	HANDSHAKE = 22,
 	APPLICATION_DATA = 23,
+	HEARTBEAT = 24,
 	V2_ERROR = 300,
 	V2_CLIENT_HELLO = 301,
 	V2_CLIENT_MASTER_KEY = 302,

src/analyzer/protocol/ssl/ssl-protocol.pac

@@ -63,6 +63,7 @@ type PlaintextRecord(rec: SSLRecord) = case rec.content_type of {
 	CHANGE_CIPHER_SPEC	-> ch_cipher : ChangeCipherSpec(rec);
 	ALERT			-> alert : Alert(rec);
 	HANDSHAKE		-> handshake : Handshake(rec);
+	HEARTBEAT -> heartbeat: Heartbeat(rec);
 	APPLICATION_DATA	-> app_data : ApplicationData(rec);
 	V2_ERROR		-> v2_error : V2Error(rec);
 	V2_CLIENT_HELLO		-> v2_client_hello : V2ClientHello(rec);
@@ -225,6 +226,16 @@ type ApplicationData(rec: SSLRecord) = record {
 	data : bytestring &restofdata &transient;
 };
 
+######################################################################
+# V3 Heartbeat
+######################################################################
+
+# Heartbeats should basically always be encrypted, so we should not
+# reach this point.
+type Heartbeat(rec: SSLRecord) = record {
+	data : bytestring &restofdata &transient;
+};
+
 ######################################################################
 # Handshake Protocol (7.4.)
 ######################################################################