Add xmpp dpd sig and fix a few parsing problems for connections that do

not upgrade to TLS.
2025-10-02 14:48:21 +00:00 · 2015-07-21 13:20:35 -07:00 · 2015-07-21 13:20:35 -07:00 · 0b897c70da
commit 0b897c70da
parent 574bcb0a51
10 changed files with 49 additions and 5 deletions
--- a/scripts/base/protocols/xmpp/load.bro
+++ b/scripts/base/protocols/xmpp/load.bro
@ -1 +1,3 @@
@load ./main
@load-sigs ./dpd.sig
--- a/scripts/base/protocols/xmpp/dpd.sig
+++ b/scripts/base/protocols/xmpp/dpd.sig
@ -0,0 +1,5 @@
 signature dpd_xmpp {
 	ip-proto == tcp
 	payload /^(<\?xml[^?>]*\?>)?[\n\r ]*<stream:stream [^>]*xmlns='jabber:/
 	enable "xmpp"
 }
--- a/src/analyzer/protocol/xmpp/XMPP.cc
+++ b/src/analyzer/protocol/xmpp/XMPP.cc
@ -61,7 +61,6 @@ void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
 		printf("BinPAC Exception: %s\n", e.c_msg());
 		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@ -16,7 +16,8 @@ refine connection XMPP_Conn += {
 			// Yup, looks like xmpp...
 			bro_analyzer()->ProtocolConfirmation();
-		if ( token == "success" || token == "message" )
+		if ( token == "success" || token == "message" || token == "db:result"
 		     || token == "db:verify" || token == "presence" )
 			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
 			bro_analyzer()->SetSkip(true);
@ -24,9 +25,9 @@ refine connection XMPP_Conn += {
 			client_starttls = true;
 		if ( !is_orig && token == "proceed" && client_starttls )
 			{
 			bro_analyzer()->StartTLS();
-			}
+		else if ( !is_orig && token == "proceed" )
 			reporter->Weird(bro_analyzer()->Conn(), "XMPP: proceed without starttls");
 		//printf("Processed: %d %s %s \n", is_orig, c_str(name), c_str(rest));
--- a/src/analyzer/protocol/xmpp/xmpp-protocol.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-protocol.pac
@ -3,6 +3,7 @@ type XML_END = RE/>/;
 type XML_NAME = RE/\/?[?:[:alnum:]]+/;
 type XML_REST = RE/[^<>]*/;
 type SPACING = RE/[ \r\n]*/;
 type CONTENT = RE/[^<>]*/;
 type XMPP_PDU(is_orig: bool) = XMPP_TOKEN(is_orig)[] &until($input.length() == 0);
@ -12,6 +13,6 @@ type XMPP_TOKEN(is_orig: bool) = record {
 	name: XML_NAME;
 	rest: XML_REST;
 	: XML_END;
-	: SPACING;
+	tagcontent: CONTENT;
 };
--- a/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.client-dpd/ssl.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2015-07-21-20-08-11
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1437091702.232293	CXWv6p3arKYeMETxOg	198.128.203.95	56048	146.255.57.229	5222	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp256r1	-	F	-	-	T	F5Nz2G1vSZQ0QXM2s8,FUw8omi2keRxShDUa	(empty)	CN=jabber.ccc.de,O=Chaos Computer Club e.V.,L=Hamburg,ST=Hamburg,C=DE	emailAddress=support@cacert.org,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA	-	-
 #close	2015-07-21-20-08-11
--- a/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
+++ b/testing/btest/Baseline/scripts.base.protocols.xmpp.server-dialback-dpd/ssl.log
@ -0,0 +1,10 @@
 #separator \x09
 #set_separator	,
 #empty_field	(empty)
 #unset_field	-
 #path	ssl
 #open	2015-07-21-20-18-36
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
 #types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
 1437506779.381295	CXWv6p3arKYeMETxOg	184.73.173.246	1193	104.236.167.107	5269	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	secp384r1	-	F	-	-	T	FLFr7Z1TXmFDv9FwC2,FydVem3ToAkEIAHD29,FK07OA1VxtQi69Irde	F3D2e62Vxl7iTnwbA4,FUCD5w4ABMG5N0YvSi,FxWUEd3mgvThYO2uod,FGOrVE2laVCPsCLMF6	CN=www.0xxon.net,OU=Free SSL,OU=Domain Control Validated	CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB	CN=*.hosted.im,OU=Domain Control Validated	CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\\, Inc.,L=Scottsdale,ST=Arizona,C=US
 #close	2015-07-21-20-18-36
--- a/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap
+++ b/testing/btest/Traces/tls/xmpp-dialback-starttls.pcap
--- a/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
+++ b/testing/btest/scripts/base/protocols/xmpp/client-dpd.test
@ -0,0 +1,8 @@
 # @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
@load base/frameworks/dpd
@load base/frameworks/signatures
@load base/protocols/ssl
@load base/protocols/conn
@load-sigs base/protocols/xmpp/dpd.sig
--- a/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
+++ b/testing/btest/scripts/base/protocols/xmpp/server-dialback-dpd.test
@ -0,0 +1,8 @@
 # @TEST-EXEC: bro -C -b -r $TRACES/tls/xmpp-dialback-starttls.pcap %INPUT
 # @TEST-EXEC: btest-diff ssl.log
@load base/frameworks/dpd
@load base/frameworks/signatures
@load base/protocols/ssl
@load base/protocols/conn
@load-sigs base/protocols/xmpp/dpd.sig
`@ -1 +1,3 @@`
	`@load ./main`	`@load ./main`

		`@load-sigs ./dpd.sig`