mirror of
https://github.com/zeek/zeek.git
synced 2025-10-13 03:58:20 +00:00
Merge remote-tracking branch 'origin/topic/bernhard/software'
* origin/topic/bernhard/software: change software framework interface again. At the moment everything should worl. start reworking interface of software framework. working apart from detect-webapps.bro, which direcly manipulates a no longer available interface... after talking to seth - change host_a field in record back to host. forgotten policy files. Software framework stores ports for server software.
This commit is contained in:
Seth Hall
commit
2cd88ee4f6
8 changed files with 203 additions and 196 deletions
|
|
@ -23,7 +23,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4
|
|||
{
|
||||
if ( command == "CLNT" )
|
||||
{
|
||||
local si = Software::parse(arg, c$id$orig_h, CLIENT);
|
||||
Software::found(c$id, si);
|
||||
Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT]);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,7 +27,8 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
|
|||
if ( /^webapp-/ !in state$sig_id ) return;
|
||||
|
||||
local c = state$conn;
|
||||
local si = Software::parse(msg, c$id$resp_h, WEB_APPLICATION);
|
||||
local si = Software::Info;
|
||||
si = [$unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
|
||||
si$url = build_url_http(c$http);
|
||||
if ( c$id$resp_h in Software::tracked &&
|
||||
si$name in Software::tracked[c$id$resp_h] )
|
||||
|
|
|
|||
|
|
@ -27,8 +27,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
|||
# Flash doesn't include it's name so we'll add it here since it
|
||||
# simplifies the version parsing.
|
||||
value = cat("Flash/", value);
|
||||
local flash_version = Software::parse(value, c$id$orig_h, BROWSER_PLUGIN);
|
||||
Software::found(c$id, flash_version);
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
|
||||
}
|
||||
}
|
||||
else
|
||||
|
|
@ -55,7 +54,7 @@ event log_http(rec: Info)
|
|||
local plugins = split(sw, /[[:blank:]]*;[[:blank:]]*/);
|
||||
|
||||
for ( i in plugins )
|
||||
Software::found(rec$id, Software::parse(plugins[i], rec$id$orig_h, BROWSER_PLUGIN));
|
||||
Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,18 +23,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
|
|||
if ( is_orig )
|
||||
{
|
||||
if ( name == "USER-AGENT" && ignored_user_agents !in value )
|
||||
Software::found(c$id, Software::parse(value, c$id$orig_h, BROWSER));
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]);
|
||||
}
|
||||
else
|
||||
{
|
||||
if ( name == "SERVER" )
|
||||
Software::found(c$id, Software::parse(value, c$id$resp_h, SERVER));
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
|
||||
else if ( name == "X-POWERED-BY" )
|
||||
Software::found(c$id, Software::parse(value, c$id$resp_h, APPSERVER));
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
|
||||
else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" )
|
||||
{
|
||||
value = cat("SharePoint/", value);
|
||||
Software::found(c$id, Software::parse(value, c$id$resp_h, APPSERVER));
|
||||
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,8 +75,7 @@ event log_smtp(rec: Info)
|
|||
if ( addr_matches_host(rec$id$orig_h,
|
||||
detect_clients_in_messages_from) )
|
||||
{
|
||||
local s = Software::parse(rec$user_agent, client_ip, s_type);
|
||||
Software::found(rec$id, s);
|
||||
Software::found(rec$id, [$unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,14 +18,12 @@ event ssh_client_version(c: connection, version: string) &priority=4
|
|||
{
|
||||
# Get rid of the protocol information when passing to the software framework.
|
||||
local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, "");
|
||||
local si = Software::parse(cleaned_version, c$id$orig_h, CLIENT);
|
||||
Software::found(c$id, si);
|
||||
Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT]);
|
||||
}
|
||||
|
||||
event ssh_server_version(c: connection, version: string) &priority=4
|
||||
{
|
||||
# Get rid of the protocol information when passing to the software framework.
|
||||
local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, "");
|
||||
local si = Software::parse(cleaned_version, c$id$resp_h, SERVER);
|
||||
Software::found(c$id, si);
|
||||
Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue