Merge remote-tracking branch 'origin/master' into topic/dnthayer/ticket1963

2025-10-09 18:18:19 +00:00 · 2018-08-17 14:11:47 -05:00 · 2018-08-17 14:11:47 -05:00 · 1a4629b0dc
commit 1a4629b0dc
parent d7be90c3ca 95c72f3717
90 changed files with 851 additions and 777 deletions
--- a/scripts/base/frameworks/broker/main.bro
+++ b/scripts/base/frameworks/broker/main.bro
@ -8,7 +8,9 @@ export {
 	const default_port = 9999/tcp &redef;

 	## Default interval to retry listening on a port if it's currently in
-	## use already.
+	## use already.  Use of the BRO_DEFAULT_LISTEN_RETRY environment variable
+	## (set as a number of seconds) will override this option and also
+	## any values given to :bro:see:`Broker::listen`.
 	const default_listen_retry = 30sec &redef;

 	## Default address on which to listen.
@ -16,8 +18,11 @@ export {
 	## .. bro:see:: Broker::listen
 	const default_listen_address = getenv("BRO_DEFAULT_LISTEN_ADDRESS") &redef;

-	## Default interval to retry connecting to a peer if it cannot be made to work
-	## initially, or if it ever becomes disconnected.
+	## Default interval to retry connecting to a peer if it cannot be made to
+	## work initially, or if it ever becomes disconnected.  Use of the
+	## BRO_DEFAULT_CONNECT_RETRY environment variable (set as number of
+	## seconds) will override this option and also any values given to
+	## :bro:see:`Broker::peer`.
 	const default_connect_retry = 30sec &redef;

 	## If true, do not use SSL for network connections. By default, SSL will
@ -194,7 +199,9 @@ export {
 	##    the next available free port.
 	##
 	## retry: If non-zero, retries listening in regular intervals if the port cannot be
-	##        acquired immediately. 0 disables retries.
+	##        acquired immediately. 0 disables retries.  If the
+	##        BRO_DEFAULT_LISTEN_RETRY environment variable is set (as number
+	##        of seconds), it overrides any value given here.
 	##
 	## Returns: the bound port or 0/? on failure.
 	##
@ -210,7 +217,9 @@ export {
 	##
 	## retry: an interval at which to retry establishing the
 	##        connection with the remote peer if it cannot be made initially, or
-	##        if it ever becomes disconnected.
+	##        if it ever becomes disconnected.  If the
+	##        BRO_DEFAULT_CONNECT_RETRY environment variable is set (as number
+	##        of seconds), it overrides any value given here.
 	##
 	## Returns: true if it's possible to try connecting with the peer and
 	##          it's a new peer. The actual connection may not be established
@ -319,8 +328,16 @@ function listen(a: string, p: port, retry: interval): port
 	{
 	local bound = __listen(a, p);

-	if ( bound == 0/tcp && retry != 0secs )
-		schedule retry { retry_listen(a, p, retry) };
+	if ( bound == 0/tcp )
+		{
+		local e = getenv("BRO_DEFAULT_LISTEN_RETRY");
+
+		if ( e != "" )
+			retry = double_to_interval(to_double(e));
+
+		if ( retry != 0secs )
+			schedule retry { retry_listen(a, p, retry) };
+		}

 	return bound;
 	}
--- a/scripts/base/frameworks/cluster/main.bro
+++ b/scripts/base/frameworks/cluster/main.bro
@ -210,6 +210,8 @@ export {
 	const node = getenv("CLUSTER_NODE") &redef;

 	## Interval for retrying failed connections between cluster nodes.
+	## If set, the BRO_DEFAULT_CONNECT_RETRY (given in number of seconds)
+	## overrides this option.
 	const retry_interval = 1min &redef;

 	## When using broker-enabled cluster framework, nodes broadcast this event
--- a/scripts/base/frameworks/netcontrol/plugins/acld.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/acld.bro
@ -270,8 +270,8 @@ function acld_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool

 function acld_init(p: PluginState)
 	{
-	Broker::peer(cat(p$acld_config$acld_host), p$acld_config$acld_port);
 	Broker::subscribe(p$acld_config$acld_topic);
+	Broker::peer(cat(p$acld_config$acld_host), p$acld_config$acld_port);
 	}

 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
--- a/scripts/base/frameworks/netcontrol/plugins/broker.bro
+++ b/scripts/base/frameworks/netcontrol/plugins/broker.bro
@ -164,8 +164,8 @@ function broker_remove_rule_fun(p: PluginState, r: Rule, reason: string) : bool

 function broker_init(p: PluginState)
 	{
-	Broker::peer(cat(p$broker_config$host), p$broker_config$bport);
 	Broker::subscribe(p$broker_config$topic);
+	Broker::peer(cat(p$broker_config$host), p$broker_config$bport);
 	}

 event Broker::peer_added(endpoint: Broker::EndpointInfo, msg: string)
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@ -62,8 +62,6 @@
@load base/protocols/rfb
@load base/protocols/sip
@load base/protocols/snmp
-# This DOES NOT enable the SMB analyzer.  It's just some base support
-# for other protocols.
@load base/protocols/smb
@load base/protocols/smtp
@load base/protocols/socks
--- a/scripts/base/protocols/dhcp/main.bro
+++ b/scripts/base/protocols/dhcp/main.bro
@ -41,6 +41,13 @@ export {
 		## IP address.
 		server_addr:    addr        &log &optional;

+		## Client port number seen at time of server handing out IP (expected
+		## as 68/udp).
+		client_port:    port             &optional;
+		## Server port number seen at time of server handing out IP (expected
+		## as 67/udp).
+		server_port:    port             &optional;
+
 		## Client's hardware address.
 		mac:            string      &log &optional;

@ -224,6 +231,8 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
 		     id$resp_h != 255.255.255.255 )
 			{
 			log_info$server_addr = id$resp_h;
+			log_info$server_port = id$resp_p;
+			log_info$client_port = id$orig_p;
 			}

 		# Only use the client hardware address from the server
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@ -21,8 +21,8 @@ export {
 		[29] = "LOC", [30] = "EID", [31] = "NIMLOC", [32] = "NB",
 		[33] = "SRV", [34] = "ATMA", [35] = "NAPTR", [36] = "KX",
 		[37] = "CERT", [38] = "A6", [39] = "DNAME", [40] = "SINK",
-	 	[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SINK",
-		[45] = "SSHFP", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
+		[EDNS] = "EDNS", [42] = "APL", [43] = "DS", [44] = "SSHFP",
+		[45] = "IPSECKEY", [46] = "RRSIG", [47] = "NSEC", [48] = "DNSKEY",
 		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
 		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
 		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
--- a/scripts/base/protocols/smb/README
+++ b/scripts/base/protocols/smb/README
@ -1 +1 @@
-Definitions of constants used by the SMB protocol.
+Support for SMB protocol analysis.
--- a/scripts/base/protocols/smb/load.bro
+++ b/scripts/base/protocols/smb/load.bro
@ -1,3 +1,10 @@
@load ./consts
@load ./const-dos-error
@load ./const-nt-status
+
+@load ./main
+@load ./smb1-main
+@load ./smb2-main
+@load ./files
+
+@load-sigs ./dpd.sig
--- a/scripts/policy/protocols/smb/dpd.sig
+++ b/scripts/policy/protocols/smb/dpd.sig
--- a/scripts/policy/protocols/smb/files.bro
+++ b/scripts/policy/protocols/smb/files.bro
--- a/scripts/policy/protocols/smb/main.bro
+++ b/scripts/policy/protocols/smb/main.bro
@ -1,10 +1,11 @@
-@load base/protocols/smb
+@load ./consts
+@load ./const-dos-error
+@load ./const-nt-status

 module SMB;

 export {
 	redef enum Log::ID += { 
-		CMD_LOG,
 		AUTH_LOG,
 		MAPPING_LOG,
 		FILES_LOG
@ -41,11 +42,6 @@ export {
 		PRINT_CLOSE,
 	};

-	## The server response statuses which are *not* logged.
-	option ignored_command_statuses: set[string] = {
-		"MORE_PROCESSING_REQUIRED",
-	};
-	
 	## This record is for the smb_files.log
 	type FileInfo: record {
 		## Time when the file was first discovered.
@ -157,25 +153,12 @@ export {
 		recent_files : set[string] &default=string_set() &read_expire=3min;
 	};

-	## Optionally write out the SMB commands log.  This is 
-	## primarily useful for debugging so is disabled by default.
-	option write_cmd_log = F;
-
 	## Everything below here is used internally in the SMB scripts.

 	redef record connection += {
 		smb_state : State &optional;
 	};
 	
-	## Internal use only.
-	## Some commands shouldn't be logged by the smb1_message event.
-	const deferred_logging_cmds: set[string] = {
-		"NEGOTIATE",
-		"READ_ANDX",
-		"SESSION_SETUP_ANDX",
-		"TREE_CONNECT_ANDX",
-	};
-
 	## This is an internally used function.
 	const set_current_file: function(smb_state: State, file_id: count) &redef;

@ -196,7 +179,6 @@ redef likely_server_ports += { ports };

 event bro_init() &priority=5
 	{
-	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
 	Log::create_stream(SMB::FILES_LOG, [$columns=SMB::FileInfo, $path="smb_files"]);
 	Log::create_stream(SMB::MAPPING_LOG, [$columns=SMB::TreeInfo, $path="smb_mapping"]);

--- a/scripts/policy/protocols/smb/smb1-main.bro
+++ b/scripts/policy/protocols/smb/smb1-main.bro
@ -68,17 +68,10 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5

 event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$mid];
-		}
+	if ( is_orig )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$mid];
 	}


@ -325,18 +318,3 @@ event smb_pipe_request(c: connection, hdr: SMB1::Header, op_num: count)

 	c$smb_state$current_cmd$argument = arg;
 	}
-
-event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
-	{
-	if ( ! is_orig )
-		{
-		# This is for deferred commands only.
-		# The more specific messages won't fire for errors
-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		}
-	}
--- a/scripts/policy/protocols/smb/smb2-main.bro
+++ b/scripts/policy/protocols/smb/smb2-main.bro
@ -65,25 +65,16 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5

 event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
 	{
-	# Is this a response?
-	if ( !is_orig )
-		{
-		# If the command that is being looked at right now was
-		# marked as PENDING, then we'll skip all of this and wait
-		# for a reply that isn't marked pending.
-		if ( c$smb_state$current_cmd$status == "PENDING" )
-			{
-			return;
-			}
+	if ( is_orig )
+		return;

-		if ( SMB::write_cmd_log &&
-		     c$smb_state$current_cmd$status !in SMB::ignored_command_statuses &&
-		     c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
-			{
-			Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
-			}
-		delete c$smb_state$pending_cmds[hdr$message_id];
-		}
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	delete c$smb_state$pending_cmds[hdr$message_id];
 	}

 event smb2_negotiate_request(c: connection, hdr: SMB2::Header, dialects: index_vec) &priority=5
--- a/scripts/policy/protocols/dhcp/software.bro
+++ b/scripts/policy/protocols/dhcp/software.bro
@ -42,21 +42,22 @@ event DHCP::log_dhcp(rec: DHCP::Info)
 	if ( rec?$assigned_addr && rec?$server_addr &&
 	     (rec?$client_software || rec?$server_software) )
 		{
-		# Not quite right to just blindly use 67 and 68 as the ports
-		local id: conn_id = [$orig_h=rec$assigned_addr, $orig_p=68/udp,
-		                     $resp_h=rec$server_addr, $resp_p=67/udp];
+		local id: conn_id = [$orig_h=rec$assigned_addr,
+		                     $orig_p=rec$client_port,
+		                     $resp_h=rec$server_addr,
+		                     $resp_p=rec$server_port];

 		if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
 			{
 			Software::found(id, [$unparsed_version=rec$client_software,
-			                     $host=rec$assigned_addr,
+			                     $host=rec$assigned_addr, $host_p=id$orig_p,
 			                     $software_type=DHCP::CLIENT]);
 			}

 		if ( rec?$server_software )
 			{
 			Software::found(id, [$unparsed_version=rec$server_software,
-			                     $host=rec$server_addr,
+			                     $host=rec$server_addr, $host_p=id$resp_p,
 			                     $software_type=DHCP::SERVER]);
 			}
 		}
--- a/scripts/policy/protocols/smb/README
+++ b/scripts/policy/protocols/smb/README
@ -1 +0,0 @@
-Support for SMB protocol analysis.
--- a/scripts/policy/protocols/smb/load.bro
+++ b/scripts/policy/protocols/smb/load.bro
@ -1,8 +0,0 @@
-@load base/protocols/smb
-
-@load ./main
-@load ./smb1-main
-@load ./smb2-main
-@load ./files
-
-@load-sigs ./dpd.sig
--- a/scripts/policy/protocols/smb/log-cmds.bro
+++ b/scripts/policy/protocols/smb/log-cmds.bro
@ -0,0 +1,82 @@
+##! Load this script to generate an SMB command log, smb_cmd.log.
+##! This is primarily useful for debugging.
+
+@load base/protocols/smb
+
+module SMB;
+
+export {
+	redef enum Log::ID += {
+		CMD_LOG,
+	};
+
+	## The server response statuses which are *not* logged.
+	option ignored_command_statuses: set[string] = {
+		"MORE_PROCESSING_REQUIRED",
+	};
+}
+
+## Internal use only.
+## Some commands shouldn't be logged by the smb1_message event.
+const deferred_logging_cmds: set[string] = {
+	"NEGOTIATE",
+	"READ_ANDX",
+	"SESSION_SETUP_ANDX",
+	"TREE_CONNECT_ANDX",
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd"]);
+	}
+
+event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+	
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb1_error(c: connection, hdr: SMB1::Header, is_orig: bool)
+	{
+	if ( is_orig )
+		return;
+
+	# This is for deferred commands only.
+	# The more specific messages won't fire for errors
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command !in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
+
+event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=-5
+	{
+	if ( is_orig )
+		return;
+
+	# If the command that is being looked at right now was
+	# marked as PENDING, then we'll skip all of this and wait
+	# for a reply that isn't marked pending.
+	if ( c$smb_state$current_cmd$status == "PENDING" )
+		return;
+
+	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
+		return;
+
+	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
+		return;
+
+	Log::write(SMB::CMD_LOG, c$smb_state$current_cmd);
+	}
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@ -99,7 +99,3 @@
 # Uncomment the following line to enable logging of link-layer addresses. Enabling
 # this adds the link-layer address for each connection endpoint to the conn.log file.
 # @load policy/protocols/conn/mac-logging
-
-# Uncomment the following line to enable the SMB analyzer.  The analyzer
-# is currently considered a preview and therefore not loaded by default.
-# @load policy/protocols/smb
--- a/scripts/test-all-policy.bro
+++ b/scripts/test-all-policy.bro
@ -80,11 +80,7 @@
@load protocols/modbus/track-memmap.bro
@load protocols/mysql/software.bro
@load protocols/rdp/indicate_ssl.bro
-@load protocols/smb/__load__.bro
-@load protocols/smb/files.bro
-@load protocols/smb/main.bro
-@load protocols/smb/smb1-main.bro
-@load protocols/smb/smb2-main.bro
+@load protocols/smb/log-cmds.bro
@load protocols/smtp/blocklists.bro
@load protocols/smtp/detect-suspicious-orig.bro
@load protocols/smtp/entities-excerpt.bro