Merge remote-tracking branch 'origin/master' into topic/johanna/imap-starttls

scripts/base/protocols/conn/main.bro

@@ -47,7 +47,7 @@ export {
 		## S2           Connection established and close attempt by originator seen (but no reply from responder).
 		## S3           Connection established and close attempt by responder seen (but no reply from originator).
 		## RSTO         Connection established, originator aborted (sent a RST).
-		## RSTR         Established, responder aborted.
+		## RSTR         Responder sent a RST.
 		## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
 		## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
 		## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).
@@ -87,7 +87,8 @@ export {
 		## f       packet with FIN bit set
 		## r       packet with RST bit set
 		## c       packet with a bad checksum
-		## i       inconsistent packet (e.g. SYN+RST bits both set)
+		## i       inconsistent packet (e.g. FIN+RST bits set)
+		## q       multi-flag packet (SYN+FIN or SYN+RST bits set)
 		## ======  ====================================================
 		##
 		## If the event comes from the originator, the letter is in

scripts/base/protocols/dns/consts.bro

@@ -26,6 +26,7 @@ export {
 		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
 		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
 		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
+		[257] = "CAA",
 		[32768] = "TA", [32769] = "DLV",
 		[ANY] = "*",
 	} &default = function(n: count): string { return fmt("query-%d", n); };

scripts/base/protocols/ftp/main.bro

@@ -213,7 +213,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		#       on a different file could be checked, but the file size will
 		#       be overwritten by the server response to the RETR command
 		#       if that's given as well which would be more correct.
-		c$ftp$file_size = extract_count(msg);
+		c$ftp$file_size = extract_count(msg, F);
 		}
 
 	# PASV and EPSV processing

scripts/base/protocols/http/main.bro

@@ -41,6 +41,8 @@ export {
 		## misspelled like the standard declares, but the name used here
 		## is "referrer" spelled correctly.
 		referrer:                string    &log &optional;
+		## Value of the version portion of the request.
+		version:		string	   &log &optional;
 		## Value of the User-Agent header from the client.
 		user_agent:              string    &log &optional;
 		## Actual uncompressed content size of the data transferred from
@@ -222,6 +224,8 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 
 	c$http$status_code = code;
 	c$http$status_msg = reason;
+	c$http$version = version;
+
 	if ( code_in_range(code, 100, 199) )
 		{
 		c$http$info_code = code;
@@ -270,7 +274,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			{
 			if ( /^[bB][aA][sS][iI][cC] / in value )
 				{
-				local userpass = decode_base64(sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, ""));
+				local userpass = decode_base64_conn(c$id, sub(value, /[bB][aA][sS][iI][cC][[:blank:]]/, ""));
 				local up = split_string(userpass, /:/);
 				if ( |up| >= 2 )
 					{

scripts/base/protocols/rfb/README

@@ -0,0 +1 @@
+Support for Remote FrameBuffer analysis.  This includes all VNC servers.

scripts/base/protocols/rfb/__load__.bro

@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+@load-sigs ./dpd.sig

scripts/base/protocols/rfb/dpd.sig

@@ -0,0 +1,12 @@
+signature dpd_rfb_server {
+	ip-proto == tcp
+	payload /^RFB/
+	requires-reverse-signature dpd_rfb_client
+	enable "rfb"
+}
+
+signature dpd_rfb_client {
+	ip-proto == tcp
+	payload /^RFB/
+	tcp-state originator
+}

scripts/base/protocols/rfb/main.bro

@@ -0,0 +1,164 @@
+module RFB;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+
+		## Major version of the client.
+		client_major_version: string &log &optional;
+		## Minor version of the client.
+		client_minor_version: string &log &optional;
+		## Major version of the server.
+		server_major_version: string &log &optional;
+		## Major version of the client.
+		server_minor_version: string &log &optional;
+
+		## Identifier of authentication method used.
+		authentication_method: string &log &optional;
+		## Whether or not authentication was succesful.
+		auth: bool &log &optional;
+
+		## Whether the client has an exclusive or a shared session.
+		share_flag: bool &log &optional;
+		## Name of the screen that is being shared.
+		desktop_name: string &log &optional;
+		## Width of the screen that is being shared.
+		width: count &log &optional;
+		## Height of the screen that is being shared.
+		height: count &log &optional;
+
+		## Internally used value to determine if this connection
+		## has already been logged.
+		done: bool  &default=F;
+	};
+
+	global log_rfb: event(rec: Info);
+}
+
+function friendly_auth_name(auth: count): string
+	{
+	switch (auth) {
+		case 0:
+			return "Invalid";
+		case 1:
+			return "None";
+		case 2:
+			return "VNC";
+		case 16:
+			return "Tight";
+		case 17:
+			return "Ultra";
+		case 18:
+			return "TLS";
+		case 19:
+			return "VeNCrypt";
+		case 20:
+			return "GTK-VNC SASL";
+		case 21:
+			return "MD5 hash authentication";
+		case 22:
+			return "Colin Dean xvp";
+		case 30:
+			return "Apple Remote Desktop";
+	}
+	return "RealVNC";
+}
+
+redef record connection += {
+	rfb: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
+	}
+
+function write_log(c:connection)
+	{
+	local state = c$rfb;
+	if ( state$done )
+		{
+		return;
+		}
+
+	Log::write(RFB::LOG, c$rfb);
+	c$rfb$done = T;
+	}
+
+function set_session(c: connection)
+	{
+	if ( ! c?$rfb )
+		{
+		local info: Info;
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+
+		c$rfb = info;
+		}
+	}
+
+event rfb_event(c: connection) &priority=5
+	{
+	set_session(c);
+	}
+
+event rfb_client_version(c: connection, major_version: string, minor_version: string) &priority=5
+	{
+	set_session(c);
+	c$rfb$client_major_version = major_version;
+	c$rfb$client_minor_version = minor_version;
+	}
+
+event rfb_server_version(c: connection, major_version: string, minor_version: string) &priority=5
+	{
+	set_session(c);
+	c$rfb$server_major_version = major_version;
+	c$rfb$server_minor_version = minor_version;
+	}
+
+event rfb_authentication_type(c: connection, authtype: count) &priority=5
+	{
+	set_session(c);
+
+	c$rfb$authentication_method = friendly_auth_name(authtype);
+	}
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=5
+	{
+	set_session(c);
+
+	c$rfb$desktop_name = name;
+	c$rfb$width = width;
+	c$rfb$height = height;
+	}
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=-5
+	{
+	write_log(c);
+	}
+
+event rfb_auth_result(c: connection, result: bool) &priority=5
+	{
+	c$rfb$auth = !result;
+	}
+
+event rfb_share_flag(c: connection, flag: bool) &priority=5
+	{
+	c$rfb$share_flag = flag;
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$rfb )
+		{
+		write_log(c);
+		}
+	}

scripts/base/protocols/sip/main.bro

@@ -60,9 +60,9 @@ export {
 		## Contents of the Warning: header
 		warning:                 string            &log &optional;
 		## Contents of the Content-Length: header from the client
-		request_body_len:        string            &log &optional;
+		request_body_len:        count             &log &optional;
 		## Contents of the Content-Length: header from the server
-		response_body_len:       string            &log &optional;
+		response_body_len:       count             &log &optional;
 		## Contents of the Content-Type: header from the server
 		content_type:            string            &log &optional;
 	};
@@ -80,7 +80,7 @@ export {
 	## that the SIP analyzer will only accept methods consisting solely
 	## of letters ``[A-Za-z]``.
 	const sip_methods: set[string] = {
-		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS"
+		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS", "NOTIFY", "SUBSCRIBE"
 	} &redef;
 
 	## Event that can be handled to access the SIP record as it is sent on
@@ -127,17 +127,6 @@ function set_state(c: connection, is_request: bool)
 		c$sip_state = s;
 		}
 
-	# These deal with new requests and responses.
-	if ( is_request && c$sip_state$current_request !in c$sip_state$pending )
-		c$sip_state$pending[c$sip_state$current_request] = new_sip_session(c);
-	if ( ! is_request && c$sip_state$current_response !in c$sip_state$pending )
-		c$sip_state$pending[c$sip_state$current_response] = new_sip_session(c);
-
-	if ( is_request )
-		c$sip = c$sip_state$pending[c$sip_state$current_request];
-	else
-		c$sip = c$sip_state$pending[c$sip_state$current_response];
-
 	if ( is_request )
 		{
 		if ( c$sip_state$current_request !in c$sip_state$pending )
@@ -152,7 +141,6 @@ function set_state(c: connection, is_request: bool)
 
 		c$sip = c$sip_state$pending[c$sip_state$current_response];
 		}
-
 	}
 
 function flush_pending(c: connection)
@@ -163,7 +151,9 @@ function flush_pending(c: connection)
 		for ( r in c$sip_state$pending )
 			{
 			# We don't use pending elements at index 0.
-			if ( r == 0 ) next;
+			if ( r == 0 )
+				next;
+
 			Log::write(SIP::LOG, c$sip_state$pending[r]);
 			}
 		}
@@ -205,16 +195,39 @@ event sip_header(c: connection, is_request: bool, name: string, value: string) &
 		if ( c$sip_state$current_request !in c$sip_state$pending )
 			++c$sip_state$current_request;
 		set_state(c, is_request);
-		if ( name == "CALL-ID" )                            c$sip$call_id = value;
-		else if ( name == "CONTENT-LENGTH" || name == "L" ) c$sip$request_body_len = value;
-		else if ( name == "CSEQ" )                          c$sip$seq = value;
-		else if ( name == "DATE" )                          c$sip$date = value;
-		else if ( name == "FROM" || name == "F" )           c$sip$request_from = split_string1(value, /;[ ]?tag=/)[0];
-		else if ( name == "REPLY-TO" )                      c$sip$reply_to = value;
-		else if ( name == "SUBJECT" || name == "S" )        c$sip$subject = value;
-		else if ( name == "TO" || name == "T" )             c$sip$request_to = value;
-		else if ( name == "USER-AGENT" )                    c$sip$user_agent = value;
-		else if ( name == "VIA" || name == "V" )            c$sip$request_path[|c$sip$request_path|] = split_string1(value, /;[ ]?branch/)[0];
+		switch ( name )
+			{
+			case "CALL-ID":
+				c$sip$call_id = value;
+				break;
+			case "CONTENT-LENGTH", "L":
+				c$sip$request_body_len = to_count(value);
+				break;
+			case "CSEQ":
+				c$sip$seq = value;
+				break;
+			case "DATE":
+				c$sip$date = value;
+				break;
+			case "FROM", "F":
+				c$sip$request_from = split_string1(value, /;[ ]?tag=/)[0];
+				break;
+			case "REPLY-TO":
+				c$sip$reply_to = value;
+				break;
+			case "SUBJECT", "S":
+				c$sip$subject = value;
+				break;
+			case "TO", "T":
+				c$sip$request_to = value;
+				break;
+			case "USER-AGENT":
+				c$sip$user_agent = value;
+				break;
+			case "VIA", "V":
+				c$sip$request_path[|c$sip$request_path|] = split_string1(value, /;[ ]?branch/)[0];
+				break;
+			}
 
 		c$sip_state$pending[c$sip_state$current_request] = c$sip;
 		}
@@ -222,13 +235,29 @@ event sip_header(c: connection, is_request: bool, name: string, value: string) &
 		{
 		if ( c$sip_state$current_response !in c$sip_state$pending )
 			++c$sip_state$current_response;
+
 		set_state(c, is_request);
-		if ( name == "CONTENT-LENGTH" || name == "L" )    c$sip$response_body_len = value;
-		else if ( name == "CONTENT-TYPE" || name == "C" ) c$sip$content_type = value;
-		else if ( name == "WARNING" )                     c$sip$warning = value;
-		else if ( name == "FROM" || name == "F" )         c$sip$response_from = split_string1(value, /;[ ]?tag=/)[0];
-		else if ( name == "TO" || name == "T" )           c$sip$response_to = value;
-		else if ( name == "VIA" || name == "V" )          c$sip$response_path[|c$sip$response_path|] = split_string1(value, /;[ ]?branch/)[0];
+		switch ( name )
+			{
+			case "CONTENT-LENGTH", "L":
+				c$sip$response_body_len = to_count(value);
+				break;
+			case "CONTENT-TYPE", "C":
+				c$sip$content_type = value;
+				break;
+			case "WARNING":
+				c$sip$warning = value;
+				break;
+			case "FROM", "F":
+				c$sip$response_from = split_string1(value, /;[ ]?tag=/)[0];
+				break;
+			case "TO", "T":
+				c$sip$response_to = value;
+				break;
+			case "VIA", "V":
+				c$sip$response_path[|c$sip$response_path|] = split_string1(value, /;[ ]?branch/)[0];
+				break;
+			}
 
 		c$sip_state$pending[c$sip_state$current_response] = c$sip;
 		}

scripts/base/protocols/smtp/main.bro

@@ -29,6 +29,8 @@ export {
 		from:              string          &log &optional;
 		## Contents of the To header.
 		to:                set[string]     &log &optional;
+		## Contents of the CC header.
+		cc:                set[string]     &log &optional;
 		## Contents of the ReplyTo header.
 		reply_to:          string          &log &optional;
 		## Contents of the MsgID header.
@@ -239,6 +241,16 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 			add c$smtp$to[to_parts[i]];
 		}
 
+	else if ( h$name == "CC" )
+		{
+		if ( ! c$smtp?$cc )
+			c$smtp$cc = set();
+
+		local cc_parts = split_string(h$value, /[[:blank:]]*,[[:blank:]]*/);
+		for ( i in cc_parts )
+			add c$smtp$cc[cc_parts[i]];
+		}
+
 	else if ( h$name == "X-ORIGINATING-IP" )
 		{
 		local addresses = extract_ip_addresses(h$value);

scripts/base/protocols/ssh/main.bro

@@ -46,11 +46,10 @@ export {
 	## authentication success or failure when compression is enabled.
 	const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
 
-	## If true, we tell the event engine to not look at further data
-	## packets after the initial SSH handshake. Helps with performance
-	## (especially with large file transfers) but precludes some
-	## kinds of analyses. Defaults to T.
-	const skip_processing_after_detection = T &redef;
+	## If true, after detection detach the SSH analyzer from the connection
+	## to prevent continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	const disable_analyzer_after_detection = T &redef;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
@@ -70,6 +69,8 @@ redef record Info += {
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
+	## Analzyer ID
+	analyzer_id: count         &optional;
 };
 
 redef record connection += {
@@ -130,11 +131,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 
 	c$ssh$auth_success = T;
 
-	if ( skip_processing_after_detection)
-		{
-		skip_further_processing(c$id);
-		set_record_packets(c$id, F);
-		}
+	if ( disable_analyzer_after_detection )
+		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
 
 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@@ -179,7 +177,7 @@ function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Alg
 	# Usually these are the same, but if they're not, return the details
 	return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c);
 	}
-	
+
 event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities)
 	{
 	if ( !c?$ssh || ( c$ssh?$capabilities && c$ssh$capabilities$is_server == capabilities$is_server ) )
@@ -233,3 +231,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+	{
+		if ( atype == Analyzer::ANALYZER_SSH )
+		{
+		set_session(c);
+		c$ssh$analyzer_id = aid;
+		}
+	}

scripts/base/protocols/ssl/consts.bro

@@ -109,7 +109,7 @@ export {
 		[7] = "client_authz",
 		[8] = "server_authz",
 		[9] = "cert_type",
-		[10] = "elliptic_curves",
+		[10] = "elliptic_curves", # new name: supported_groups - draft-ietf-tls-negotiated-ff-dhe
 		[11] = "ec_point_formats",
 		[12] = "srp",
 		[13] = "signature_algorithms",
@@ -120,9 +120,10 @@ export {
 		[18] = "signed_certificate_timestamp",
 		[19] = "client_certificate_type",
 		[20] = "server_certificate_type",
-		[21] = "padding", # temporary till 2016-03-12
+		[21] = "padding",
 		[22] = "encrypt_then_mac",
 		[23] = "extended_master_secret",
+		[24] = "token_binding", # temporary till 2017-02-04 - draft-ietf-tokbind-negotiation
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",
@@ -165,7 +166,10 @@ export {
 		[26] = "brainpoolP256r1",
 		[27] = "brainpoolP384r1",
 		[28] = "brainpoolP512r1",
-		# draft-ietf-tls-negotiated-ff-dhe-05
+		# Temporary till 2017-03-01 - draft-ietf-tls-rfc4492bis
+		[29] = "ecdh_x25519",
+		[30] = "ecdh_x448",
+		# draft-ietf-tls-negotiated-ff-dhe-10
 		[256] = "ffdhe2048",
 		[257] = "ffdhe3072",
 		[258] = "ffdhe4096",

scripts/base/protocols/ssl/dpd.sig

@@ -1,7 +1,7 @@
 signature dpd_ssl_server {
   ip-proto == tcp
   # Server hello.
-  payload /^(\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
+  payload /^((\x15\x03[\x00\x01\x02\x03]....)?\x16\x03[\x00\x01\x02\x03]..\x02...\x03[\x00\x01\x02\x03]|...?\x04..\x00\x02).*/
   requires-reverse-signature dpd_ssl_client
   enable "ssl"
   tcp-state responder

scripts/base/protocols/tunnels/dpd.sig

@@ -9,6 +9,6 @@ signature dpd_ayiya {
 
 signature dpd_teredo {
   ip-proto = udp
-  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f])/
+  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
   enable "teredo"
 }