Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/jsiwek/irc-orig'

Browse source 
* origin/topic/jsiwek/irc-orig:
  Shorten what's displayed in the IRC's log mime_type column for DCC transfers
  Add IRC unit tests.
  Small tweak to IRC event handlder priorities
  Fix IRC analyzer supplying wrong type to irc_dcc_message event.
  Changes to IRC analyzer and events (addresses #469).
This commit is contained in:
Robin Sommer 2011-07-20 17:09:14 -07:00
commit 2892026201
12 changed files with 199 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

16
CHANGES
View file

@ -1,3 +1,19 @@
1.6-dev.225 Wed Jul 20 17:10:41 PDT 2011
- IRC improvements (Jon Siwek). Including:
- Shorten what's displayed in the IRC's log mime_type column for
DCC transfers.
- Add IRC unit tests.
- Fix IRC analyzer supplying wrong type to irc_dcc_message event.
- Removed irc_client and irc_server events.
- Added is_orig arguments to all other irc events.
- Fix analyzer not recognizing Turbo DCC extension message format.
- Fix analyzer not generating irc_dcc_message event when irc_privmsg_message
event doesn't have a handler registered.
- Fixing tests that need a diff canonifier. (Jon Siwek)
1.6-dev.223 Tue Jul 19 19:10:36 PDT 2011 1.6-dev.223 Tue Jul 19 19:10:36 PDT 2011
- Adding a script to update CHANGES and VERSION. (Robin Sommer) - Adding a script to update CHANGES and VERSION. (Robin Sommer)

2
VERSION
View file

@ -1 +1 @@
1.6-dev.223 1.6-dev.225

32
policy/protocols/irc/base.bro
View file

@ -64,44 +64,55 @@ function set_session(c: connection)
c$irc$ts=network_time(); c$irc$ts=network_time();
} }
event irc_nick_message(c: connection, who: string, newnick: string) &priority=5 event irc_nick_message(c: connection, is_orig: bool, who: string, newnick: string) &priority=5
{ {
set_session(c); set_session(c);
if ( is_orig )
{
c$irc$command = "NICK"; c$irc$command = "NICK";
c$irc$value = newnick; c$irc$value = newnick;
} }
}
event irc_nick_message(c: connection, who: string, newnick: string) &priority=-5 event irc_nick_message(c: connection, is_orig: bool, who: string, newnick: string) &priority=-5
{
if ( is_orig )
{ {
Log::write(IRC, c$irc); Log::write(IRC, c$irc);
c$irc$nick = newnick; c$irc$nick = newnick;
} }
}
event irc_user_message(c: connection, user: string, host: string, server: string, real_name: string) &priority=5 event irc_user_message(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string) &priority=5
{ {
set_session(c); set_session(c);
if ( is_orig )
{
c$irc$command = "USER"; c$irc$command = "USER";
c$irc$value = user; c$irc$value = user;
c$irc$addl=fmt("%s %s %s", host, server, real_name); c$irc$addl=fmt("%s %s %s", host, server, real_name);
} }
}
event irc_user_message(c: connection, user: string, host: string, event irc_user_message(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string) &priority=-5
server: string, real_name: string) &priority=-5 {
if ( is_orig )
{ {
Log::write(IRC, c$irc); Log::write(IRC, c$irc);
c$irc$user = user; c$irc$user = user;
} }
}
event irc_join_message(c: connection, info_list: irc_join_list) &priority=5 event irc_join_message(c: connection, is_orig: bool, info_list: irc_join_list) &priority=5
{ {
set_session(c); set_session(c);
if ( is_orig )
c$irc$command = "JOIN"; c$irc$command = "JOIN";
} }
event irc_join_message(c: connection, info_list: irc_join_list) &priority=-5 event irc_join_message(c: connection, is_orig: bool, info_list: irc_join_list) &priority=-5
{
if ( is_orig )
{ {
for ( l in info_list ) for ( l in info_list )
{ {
@ -110,3 +121,4 @@ event irc_join_message(c: connection, info_list: irc_join_list) &priority=-5
Log::write(IRC, c$irc); Log::write(IRC, c$irc);
} }
} }
}

42
policy/protocols/irc/dcc-send.bro
View file

@ -9,6 +9,8 @@
##! PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A ##! PRIVMSG my_nick :^ADCC SEND whateverfile.zip 3640061780 1026 41709^A
@load protocols/irc @load protocols/irc
@load utils/files
@load utils/numbers
module IRC; module IRC;
@ -48,9 +50,9 @@ event file_transferred(c: connection, prefix: string, descr: string,
local irc = dcc_expected_transfers[id$resp_h, id$resp_p]; local irc = dcc_expected_transfers[id$resp_h, id$resp_p];
irc$dcc_mime_type = mime_type; irc$dcc_mime_type = split1(mime_type, /;/)[1];
if ( extract_file_types in mime_type ) if ( extract_file_types == irc$dcc_mime_type )
{ {
irc$extract_file = T; irc$extract_file = T;
add irc$tags[EXTRACTED_FILE]; add irc$tags[EXTRACTED_FILE];
@ -59,7 +61,6 @@ event file_transferred(c: connection, prefix: string, descr: string,
local fname = generate_extraction_filename(extraction_prefix, c, suffix); local fname = generate_extraction_filename(extraction_prefix, c, suffix);
irc$extraction_file = open(fname); irc$extraction_file = open(fname);
} }
} }
event file_transferred(c: connection, prefix: string, descr: string, event file_transferred(c: connection, prefix: string, descr: string,
@ -71,6 +72,11 @@ event file_transferred(c: connection, prefix: string, descr: string,
local irc = dcc_expected_transfers[id$resp_h, id$resp_p]; local irc = dcc_expected_transfers[id$resp_h, id$resp_p];
local tmp = irc$command;
irc$command = "DCC";
Log::write(IRC, irc);
irc$command = tmp;
if ( irc$extract_file && irc?$extraction_file ) if ( irc$extract_file && irc?$extraction_file )
set_contents_file(id, CONTENTS_RESP, irc$extraction_file); set_contents_file(id, CONTENTS_RESP, irc$extraction_file);
@ -84,25 +90,19 @@ event file_transferred(c: connection, prefix: string, descr: string,
delete dcc_expected_transfers[id$resp_h, id$resp_p]; delete dcc_expected_transfers[id$resp_h, id$resp_p];
} }
event irc_dcc_message(c: connection, is_orig: bool,
event irc_server(c: connection, prefix: string, data: string) &priority=5 prefix: string, target: string,
dcc_type: string, argument: string,
address: addr, dest_port: count, size: count) &priority=5
{ {
local parts = split_all(data, / /); set_session(c);
local command = parts[1]; if ( dcc_type != "SEND" )
if ( command == "PRIVMSG" && return;
/[dD][cC][cC] [sS][eE][nN][dD]/ in data && c$irc$dcc_file_name = argument;
|parts| > 12 && c$irc$dcc_file_size = size;
/^[0-9]*$/ == parts[|parts|-4] && local p = to_port(dest_port, tcp);
/^[0-9]*$/ == parts[|parts|-2] ) expect_connection(to_addr("0.0.0.0"), address, p, ANALYZER_FILE, 5 min);
{ dcc_expected_transfers[address, p] = c$irc;
c$irc$command = "DCC SEND";
local ex_h = count_to_v4_addr(extract_count(parts[|parts|-4]));
local ex_p = to_port(to_count(parts[|parts|-2]), tcp);
c$irc$dcc_file_name = parts[|parts|-6];
c$irc$dcc_file_size = extract_count(parts[|parts|]);
expect_connection(c$id$orig_h, ex_h, ex_p, ANALYZER_FILE, 5 min);
dcc_expected_transfers[ex_h, ex_p] = c$irc;
}
} }
event expected_connection_seen(c: connection, a: count) &priority=10 event expected_connection_seen(c: connection, a: count) &priority=10

74
src/IRC.cc
View file

@ -33,8 +33,8 @@ bool IRC_Analyzer::Available()
{ {
// It's a lot of events, but for consistency with other // It's a lot of events, but for consistency with other
// analyzers we need to check for all of them. // analyzers we need to check for all of them.
avail = irc_client || irc_server || irc_request || irc_reply || avail = irc_request || irc_reply ||
irc_message || irc_enter_message || irc_quit_message || irc_message || irc_quit_message ||
irc_privmsg_message || irc_notice_message || irc_privmsg_message || irc_notice_message ||
irc_squery_message || irc_join_message || irc_squery_message || irc_join_message ||
irc_part_message || irc_nick_message || irc_part_message || irc_nick_message ||
@ -97,28 +97,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
if ( orig ) if ( orig )
{
ProtocolConfirmation(); ProtocolConfirmation();
if ( irc_client )
{
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(myline.c_str()));
ConnectionEvent(irc_client, vl);
}
}
else
{
if ( irc_server )
{
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(myline.c_str()));
ConnectionEvent(irc_server, vl);
}
}
int code = 0; int code = 0;
string command = ""; string command = "";
@ -260,6 +239,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new Val(users, TYPE_INT)); vl->append(new Val(users, TYPE_INT));
vl->append(new Val(services, TYPE_INT)); vl->append(new Val(services, TYPE_INT));
vl->append(new Val(servers, TYPE_INT)); vl->append(new Val(servers, TYPE_INT));
@ -296,6 +276,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(type.c_str())); vl->append(new StringVal(type.c_str()));
vl->append(new StringVal(channel.c_str())); vl->append(new StringVal(channel.c_str()));
@ -338,6 +319,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new Val(users, TYPE_INT)); vl->append(new Val(users, TYPE_INT));
vl->append(new Val(services, TYPE_INT)); vl->append(new Val(services, TYPE_INT));
vl->append(new Val(servers, TYPE_INT)); vl->append(new Val(servers, TYPE_INT));
@ -360,6 +342,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new Val(channels, TYPE_INT)); vl->append(new Val(channels, TYPE_INT));
ConnectionEvent(irc_channel_info, vl); ConnectionEvent(irc_channel_info, vl);
@ -392,6 +375,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(eop - prefix, prefix)); vl->append(new StringVal(eop - prefix, prefix));
vl->append(new StringVal(++msg)); vl->append(new StringVal(++msg));
ConnectionEvent(irc_global_users, vl); ConnectionEvent(irc_global_users, vl);
@ -416,6 +400,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl->append(new StringVal(parts[1].c_str()));
vl->append(new StringVal(parts[2].c_str())); vl->append(new StringVal(parts[2].c_str()));
@ -454,6 +439,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
ConnectionEvent(irc_whois_operator_line, vl); ConnectionEvent(irc_whois_operator_line, vl);
@ -484,6 +470,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(nick.c_str())); vl->append(new StringVal(nick.c_str()));
TableVal* set = new TableVal(string_set); TableVal* set = new TableVal(string_set);
for ( unsigned int i = 0; i < parts.size(); ++i ) for ( unsigned int i = 0; i < parts.size(); ++i )
@ -519,6 +506,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(parts[1].c_str())); vl->append(new StringVal(parts[1].c_str()));
const char* t = topic.c_str(); const char* t = topic.c_str();
@ -552,6 +540,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl->append(new StringVal(parts[1].c_str()));
if ( parts[2][0] == '~' ) if ( parts[2][0] == '~' )
@ -579,6 +568,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
ConnectionEvent(irc_invalid_nick, vl); ConnectionEvent(irc_invalid_nick, vl);
} }
break; break;
@ -590,6 +580,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new Val(code == 381, TYPE_BOOL)); vl->append(new Val(code == 381, TYPE_BOOL));
ConnectionEvent(irc_oper_response, vl); ConnectionEvent(irc_oper_response, vl);
} }
@ -599,6 +590,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
default: default:
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new Val(code, TYPE_COUNT)); vl->append(new Val(code, TYPE_COUNT));
vl->append(new StringVal(params.c_str())); vl->append(new StringVal(params.c_str()));
@ -622,7 +614,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
return; return;
} }
else if ( irc_privmsg_message && command == "PRIVMSG") else if ( irc_privmsg_message || (irc_dcc_message && command == "PRIVMSG") )
{ {
unsigned int pos = params.find(' '); unsigned int pos = params.find(' ');
if ( pos >= params.size() ) if ( pos >= params.size() )
@ -648,10 +640,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(message, ' '); vector<string> parts = SplitWords(message, ' ');
if ( parts.size() < 5 || parts.size() > 6 ) if ( parts.size() < 5 || parts.size() > 6 )
{
// Turbo DCC extension appends a "T" at the end of handshake.
if ( ! (parts.size() == 7 && parts[6] == "T") )
{ {
Weird("irc_invalid_dcc_message_format"); Weird("irc_invalid_dcc_message_format");
return; return;
} }
}
// Calculate IP address. // Calculate IP address.
uint32 raw_ip = 0; uint32 raw_ip = 0;
@ -663,17 +659,18 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(target.c_str())); vl->append(new StringVal(target.c_str()));
vl->append(new StringVal(parts[1].c_str())); vl->append(new StringVal(parts[1].c_str()));
vl->append(new StringVal(parts[2].c_str())); vl->append(new StringVal(parts[2].c_str()));
vl->append(new AddrVal(htonl(raw_ip))); vl->append(new AddrVal(htonl(raw_ip)));
vl->append(new Val(atoi(parts[4].c_str()), TYPE_INT)); vl->append(new Val(atoi(parts[4].c_str()), TYPE_COUNT));
if ( parts.size() == 6 ) if ( parts.size() >= 6 )
vl->append(new Val(atoi(parts[5].c_str()), vl->append(new Val(atoi(parts[5].c_str()),
TYPE_INT)); TYPE_COUNT));
else else
vl->append(new Val(0, TYPE_INT)); vl->append(new Val(0, TYPE_COUNT));
ConnectionEvent(irc_dcc_message, vl); ConnectionEvent(irc_dcc_message, vl);
} }
@ -682,6 +679,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(target.c_str())); vl->append(new StringVal(target.c_str()));
vl->append(new StringVal(message.c_str())); vl->append(new StringVal(message.c_str()));
@ -706,6 +704,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(target.c_str())); vl->append(new StringVal(target.c_str()));
vl->append(new StringVal(message.c_str())); vl->append(new StringVal(message.c_str()));
@ -729,6 +728,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(target.c_str())); vl->append(new StringVal(target.c_str()));
vl->append(new StringVal(message.c_str())); vl->append(new StringVal(message.c_str()));
@ -742,6 +742,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
vector<string> parts = SplitWords(params, ' '); vector<string> parts = SplitWords(params, ' ');
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
if ( parts.size() > 0 ) if ( parts.size() > 0 )
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
@ -777,6 +778,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl->append(new StringVal(parts[1].c_str()));
@ -799,6 +801,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl->append(new StringVal(parts[1].c_str()));
@ -842,6 +845,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
TableVal* list = new TableVal(irc_join_list); TableVal* list = new TableVal(irc_join_list);
vector<string> channels = SplitWords(parts[0], ','); vector<string> channels = SplitWords(parts[0], ',');
@ -888,6 +892,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
TableVal* list = new TableVal(irc_join_list); TableVal* list = new TableVal(irc_join_list);
string empty_string = ""; string empty_string = "";
@ -965,6 +970,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(nick.c_str())); vl->append(new StringVal(nick.c_str()));
vl->append(set); vl->append(set);
vl->append(new StringVal(message.c_str())); vl->append(new StringVal(message.c_str()));
@ -988,6 +994,8 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(nickname.c_str())); vl->append(new StringVal(nickname.c_str()));
vl->append(new StringVal(message.c_str())); vl->append(new StringVal(message.c_str()));
@ -1002,6 +1010,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(nick.c_str())); vl->append(new StringVal(nick.c_str()));
@ -1027,6 +1036,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
vl->append(new Val(oper, TYPE_BOOL)); vl->append(new Val(oper, TYPE_BOOL));
@ -1055,6 +1065,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(server.c_str())); vl->append(new StringVal(server.c_str()));
vl->append(new StringVal(users.c_str())); vl->append(new StringVal(users.c_str()));
@ -1065,6 +1076,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
if ( params[0] == ':' ) if ( params[0] == ':' )
params = params.substr(1); params = params.substr(1);
@ -1083,6 +1095,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(parts[0].c_str())); vl->append(new StringVal(parts[0].c_str()));
vl->append(new StringVal(parts[1].c_str())); vl->append(new StringVal(parts[1].c_str()));
@ -1099,6 +1112,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(params.c_str())); vl->append(new StringVal(params.c_str()));
@ -1113,6 +1127,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(params.c_str())); vl->append(new StringVal(params.c_str()));
ConnectionEvent(irc_password_message, vl); ConnectionEvent(irc_password_message, vl);
} }
@ -1133,6 +1148,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(server.c_str())); vl->append(new StringVal(server.c_str()));
vl->append(new StringVal(message.c_str())); vl->append(new StringVal(message.c_str()));
@ -1147,6 +1163,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(command.c_str())); vl->append(new StringVal(command.c_str()));
vl->append(new StringVal(params.c_str())); vl->append(new StringVal(params.c_str()));
@ -1161,6 +1178,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
{ {
val_list* vl = new val_list; val_list* vl = new val_list;
vl->append(BuildConnVal()); vl->append(BuildConnVal());
vl->append(new Val(orig, TYPE_BOOL));
vl->append(new StringVal(prefix.c_str())); vl->append(new StringVal(prefix.c_str()));
vl->append(new StringVal(command.c_str())); vl->append(new StringVal(command.c_str()));
vl->append(new StringVal(params.c_str())); vl->append(new StringVal(params.c_str()));

70
src/event.bif
View file

@ -338,62 +338,60 @@ event pop3_login_success%(c: connection, is_orig: bool,
event pop3_login_failure%(c: connection, is_orig: bool, event pop3_login_failure%(c: connection, is_orig: bool,
user: string, password: string%); user: string, password: string%);
event irc_client%(c: connection, prefix: string, data: string%); event irc_request%(c: connection, is_orig: bool, prefix: string,
event irc_server%(c: connection, prefix: string, data: string%);
event irc_request%(c: connection, prefix: string,
command: string, arguments: string%); command: string, arguments: string%);
event irc_reply%(c: connection, prefix: string, event irc_reply%(c: connection, is_orig: bool, prefix: string,
code: count, params: string%); code: count, params: string%);
event irc_message%(c: connection, prefix: string, event irc_message%(c: connection, is_orig: bool, prefix: string,
command: string, message: string%); command: string, message: string%);
event irc_enter_message%(c: connection, nick: string, real_name: string%); event irc_quit_message%(c: connection, is_orig: bool, nick: string, message: string%);
event irc_quit_message%(c: connection, nick: string, message: string%); event irc_privmsg_message%(c: connection, is_orig: bool, source: string,
event irc_privmsg_message%(c: connection, source: string,
target: string, message: string%); target: string, message: string%);
event irc_notice_message%(c: connection, source: string, event irc_notice_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%); target: string, message: string%);
event irc_squery_message%(c: connection, source: string, event irc_squery_message%(c: connection, is_orig: bool, source: string,
target: string, message: string%); target: string, message: string%);
event irc_join_message%(c: connection, info_list: irc_join_list%); event irc_join_message%(c: connection, is_orig: bool, info_list: irc_join_list%);
event irc_part_message%(c: connection, nick: string, event irc_part_message%(c: connection, is_orig: bool, nick: string,
chans: string_set, message: string%); chans: string_set, message: string%);
event irc_nick_message%(c: connection, who: string, newnick: string%); event irc_nick_message%(c: connection, is_orig: bool, who: string, newnick: string%);
event irc_invalid_nick%(c: connection%); event irc_invalid_nick%(c: connection, is_orig: bool%);
event irc_network_info%(c: connection, users: count, event irc_network_info%(c: connection, is_orig: bool, users: count,
services: count, servers: count%); services: count, servers: count%);
event irc_server_info%(c: connection, users: count, event irc_server_info%(c: connection, is_orig: bool, users: count,
services: count, servers: count%); services: count, servers: count%);
event irc_channel_info%(c: connection, chans: count%); event irc_channel_info%(c: connection, is_orig: bool, chans: count%);
event irc_who_line%(c: connection, target_nick: string, event irc_who_line%(c: connection, is_orig: bool, target_nick: string,
channel: string, user: string, host: string, channel: string, user: string, host: string,
server: string, nick: string, params: string, server: string, nick: string, params: string,
hops: count, real_name: string%); hops: count, real_name: string%);
event irc_who_message%(c: connection, mask: string, oper: bool%); event irc_who_message%(c: connection, is_orig: bool, mask: string, oper: bool%);
event irc_whois_message%(c: connection, server: string, users: string%); event irc_whois_message%(c: connection, is_orig: bool, server: string, users: string%);
event irc_whois_user_line%(c: connection, nick: string, event irc_whois_user_line%(c: connection, is_orig: bool, nick: string,
user: string, host: string, real_name: string%); user: string, host: string, real_name: string%);
event irc_whois_operator_line%(c: connection, nick: string%); event irc_whois_operator_line%(c: connection, is_orig: bool, nick: string%);
event irc_whois_channel_line%(c: connection, nick: string, event irc_whois_channel_line%(c: connection, is_orig: bool, nick: string,
chans: string_set%); chans: string_set%);
event irc_oper_message%(c: connection, user: string, password: string%); event irc_oper_message%(c: connection, is_orig: bool, user: string, password: string%);
event irc_oper_response%(c: connection, got_oper: bool%); event irc_oper_response%(c: connection, is_orig: bool, got_oper: bool%);
event irc_kick_message%(c: connection, prefix: string, event irc_kick_message%(c: connection, is_orig: bool, prefix: string,
chans: string, users: string, comment: string%); chans: string, users: string, comment: string%);
event irc_error_message%(c: connection, prefix: string, message: string%); event irc_error_message%(c: connection, is_orig: bool, prefix: string, message: string%);
event irc_invite_message%(c: connection, prefix: string, event irc_invite_message%(c: connection, is_orig: bool, prefix: string,
nickname: string, channel: string%); nickname: string, channel: string%);
event irc_mode_message%(c: connection, prefix: string, params: string%); event irc_mode_message%(c: connection, is_orig: bool, prefix: string, params: string%);
event irc_squit_message%(c: connection, prefix: string, event irc_squit_message%(c: connection, is_orig: bool, prefix: string,
server: string, message: string%); server: string, message: string%);
event irc_names_info%(c: connection, c_type: string, event irc_names_info%(c: connection, is_orig: bool, c_type: string,
channel: string, users: string_set%); channel: string, users: string_set%);
event irc_dcc_message%(c: connection, prefix: string, target: string, event irc_dcc_message%(c: connection, is_orig: bool,
prefix: string, target: string,
dcc_type: string, argument: string, dcc_type: string, argument: string,
address: addr, dest_port: count, size: count%); address: addr, dest_port: count, size: count%);
event irc_global_users%(c: connection, prefix: string, msg: string%); event irc_global_users%(c: connection, is_orig: bool, prefix: string, msg: string%);
event irc_user_message%(c: connection, user: string, host: string, server: string, real_name: string%); event irc_user_message%(c: connection, is_orig: bool, user: string, host: string, server: string, real_name: string%);
event irc_channel_topic%(c: connection, channel: string, topic: string%); event irc_channel_topic%(c: connection, is_orig: bool, channel: string, topic: string%);
event irc_password_message%(c: connection, password: string%); event irc_password_message%(c: connection, is_orig: bool, password: string%);
event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%); event file_transferred%(c: connection, prefix: string, descr: string, mime_type: string%);
event file_virus%(c: connection, virname: string%); event file_virus%(c: connection, virname: string%);

5
testing/btest/Baseline/policy.protocols.irc.basic/irc.log Normal file
View file

@ -0,0 +1,5 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size dcc_mime_type extraction_file
1311189164.11944 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - - -
1311189164.11944 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - -
1311189174.47413 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - - -
1311189316.32603 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - DCC #easymovies - - ladyvampress-default(2011-07-07)-OS.zip 42208 application/x-zip -

BIN
testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat Normal file
View file

Binary file not shown.

5
testing/btest/Baseline/policy.protocols.irc.dcc-extract/irc.log Normal file
View file

@ -0,0 +1,5 @@
# ts uid id.orig_h id.orig_p id.resp_h id.resp_p nick user channels command value addl tags dcc_file_name dcc_file_size dcc_mime_type extraction_file
1311189164.11944 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 - - - NICK bloed - - - - - -
1311189164.11944 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed - - USER sdkfje sdkfje Montreal.QC.CA.Undernet.org dkdkrwq - - - - -
1311189174.47413 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - JOIN #easymovies - - - - - -
1311189316.32603 UWkUyAuUGXf 192.168.1.77 57640 66.198.80.67 6667 bloed sdkfje - DCC #easymovies - IRC::EXTRACTED_FILE ladyvampress-default(2011-07-07)-OS.zip 42208 application/x-zip irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat

BIN
testing/btest/Traces/irc-dcc-send.trace Normal file
View file

Binary file not shown.

5
testing/btest/policy/protocols/irc/basic.test Normal file
View file

@ -0,0 +1,5 @@
# This tests that basic IRC commands (NICK, USER, JOIN, DCC SEND)
# are logged for a client.
# @TEST-EXEC: bro protocols/irc -r $TRACES/irc-dcc-send.trace
# @TEST-EXEC: btest-diff irc.log

8
testing/btest/policy/protocols/irc/dcc-extract.test Normal file
View file

@ -0,0 +1,8 @@
# This tests that the contents of a DCC transfer negotiated with IRC can be
# correctly extracted
# @TEST-EXEC: bro protocols/irc -r $TRACES/irc-dcc-send.trace IRC::extract_file_types=/application.*/
# @TEST-EXEC: btest-diff irc.log
# @TEST-EXEC: btest-diff irc-dcc-item_192.168.1.77:57655-209.197.168.151:1024_1.dat
# @TEST-EXEC: bro protocols/irc -r $TRACES/irc-dcc-send.trace IRC::extract_file_types=/application.*/ IRC::extraction_prefix="test"
# @TEST-EXEC: test -e test_192.168.1.77:57655-209.197.168.151:1024_1.dat