Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add starttls support for pop3

Browse source
This commit is contained in:
Bernhard Amann 2014-05-15 10:25:21 -07:00
parent 6bc914458b
commit 388b8f92ec
7 changed files with 78 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

38
src/analyzer/protocol/pop3/POP3.cc
View file

@ -13,6 +13,7 @@
#include "POP3.h" #include "POP3.h"
#include "Event.h" #include "Event.h"
#include "Reporter.h" #include "Reporter.h"
#include "analyzer/Manager.h"
#include "analyzer/protocol/login/NVT.h" #include "analyzer/protocol/login/NVT.h"
#include "events.bif.h" #include "events.bif.h"
@ -41,15 +42,18 @@ POP3_Analyzer::POP3_Analyzer(Connection* conn)
waitingForAuthentication = false; waitingForAuthentication = false;
requestForMultiLine = false; requestForMultiLine = false;
multiLine = false; multiLine = false;
backOff = false; tls = false;
lastRequiredCommand = 0; lastRequiredCommand = 0;
authLines = 0; authLines = 0;
mail = 0; mail = 0;
AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true)); cl_orig = new tcp::ContentLine_Analyzer(conn, true);
AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false)); AddSupportAnalyzer(cl_orig);
cl_resp = new tcp::ContentLine_Analyzer(conn, false);
AddSupportAnalyzer(cl_resp);
} }
POP3_Analyzer::~POP3_Analyzer() POP3_Analyzer::~POP3_Analyzer()
@ -69,7 +73,13 @@ void POP3_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
{ {
tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig); tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, orig);
if ( (TCP() && TCP()->IsPartial()) || backOff ) if ( tls )
{
ForwardStream(len, data, orig);
return;
}
if ( (TCP() && TCP()->IsPartial()) )
return; return;
BroString terminated_string(data, len, 1); BroString terminated_string(data, len, 1);
@ -717,8 +727,8 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
break; break;
case STLS: case STLS:
backOff = true; tls = true;
POP3Event(pop3_terminate, false, "Terminating due to TLS"); StartTLS();
return; return;
case QUIT: case QUIT:
@ -804,6 +814,22 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
} }
} }
void POP3_Analyzer::StartTLS()
{
// STARTTLS was succesful. Remove support analyzers, add SSL
// analyzer and throw event signifying the change.
RemoveSupportAnalyzer(cl_orig);
RemoveSupportAnalyzer(cl_resp);
Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
if ( ssl )
AddChildAnalyzer(ssl);
val_list* vl = new val_list;
vl->append(BuildConnVal());
ConnectionEvent(pop3_starttls, vl);
}
void POP3_Analyzer::AuthSuccessfull() void POP3_Analyzer::AuthSuccessfull()
{ {
if ( user.size() ) if ( user.size() )

6
src/analyzer/protocol/pop3/POP3.h
View file

@ -10,6 +10,7 @@
#include <algorithm> #include <algorithm>
#include "analyzer/protocol/tcp/TCP.h" #include "analyzer/protocol/tcp/TCP.h"
#include "analyzer/protocol/tcp/ContentLine.h"
#include "analyzer/protocol/login/NVT.h" #include "analyzer/protocol/login/NVT.h"
#include "analyzer/protocol/mime/MIME.h" #include "analyzer/protocol/mime/MIME.h"
@ -97,6 +98,7 @@ protected:
void BeginData(); void BeginData();
void ProcessData(int length, const char* line); void ProcessData(int length, const char* line);
void EndData(); void EndData();
void StartTLS();
vector<string> TokenizeLine(const string input, const char split); vector<string> TokenizeLine(const string input, const char split);
int ParseCmd(string cmd); int ParseCmd(string cmd);
@ -108,7 +110,9 @@ protected:
list<string> cmds; list<string> cmds;
private: private:
bool backOff; bool tls;
tcp::ContentLine_Analyzer* cl_orig;
tcp::ContentLine_Analyzer* cl_resp;
}; };
} } // namespace analyzer::* } } // namespace analyzer::*

9
src/analyzer/protocol/pop3/events.bif
View file

@ -106,21 +106,14 @@ event pop3_unexpected%(c: connection, is_orig: bool,
## ##
## c: The connection. ## c: The connection.
## ##
## is_orig: Always false.
##
## msg: A descriptive message why processing was stopped.
##
## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request ## .. bro:see:: pop3_data pop3_login_failure pop3_login_success pop3_reply pop3_request
## pop3_unexpected ## pop3_unexpected
## ##
## .. note:: Currently, only the ``STARTLS`` command is recognized and
## triggers this.
##
## .. todo:: Bro's current default configuration does not activate the protocol ## .. todo:: Bro's current default configuration does not activate the protocol
## analyzer that generates this event; the corresponding script has not yet ## analyzer that generates this event; the corresponding script has not yet
## been ported to Bro 2.x. To still enable this event, one needs to ## been ported to Bro 2.x. To still enable this event, one needs to
## register a port for it or add a DPD payload signature. ## register a port for it or add a DPD payload signature.
event pop3_terminate%(c: connection, is_orig: bool, msg: string%); event pop3_starttls%(c: connection%);
## Generated for successful authentications on POP3 connections. ## Generated for successful authentications on POP3 connections.
## ##

10
testing/btest/Baseline/scripts.base.protocols.pop3.starttls/ssl.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2014-05-15-17-23-07
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string string bool vector[string] vector[string] string string string string
1400173552.424910 CXWv6p3arKYeMETxOg 192.168.4.149 54775 192.168.4.149 110 TLSv12 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - - - - T FEdAw24VSam39HNlY5 (empty) emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE - -
#close 2014-05-15-17-23-07

10
testing/btest/Baseline/scripts.base.protocols.pop3.starttls/x509.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path x509
#open 2014-05-15-17-23-07
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
1400173552.426860 FEdAw24VSam39HNlY5 3 01 emailAddress=postmaster@lilawelt.de,CN=chimaera.lilawelt.de,OU=Servers,O=Lilawelt,L=Munich,C=DE emailAddress=postmaster@lilawelt.de,CN=Lilawelt,OU=Lilawelt CA,O=Lilawelt,L=Munich,C=DE 1178385788.000000 1493745788.000000 rsaEncryption md5WithRSAEncryption rsa 2048 65537 - - - - - F -
#close 2014-05-15-17-23-07

BIN
testing/btest/Traces/tls/pop3-starttls.pcap Normal file
View file

Binary file not shown.

20
testing/btest/scripts/base/protocols/pop3/starttls.bro Normal file
View file

@ -0,0 +1,20 @@
# @TEST-EXEC: bro -C -b -r $TRACES/tls/pop3-starttls.pcap %INPUT
# @TEST-EXEC: btest-diff ssl.log
# @TEST-EXEC: btest-diff x509.log
@load base/protocols/conn
@load base/protocols/ssl
module POP3;
const ports = {
110/tcp
};
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports);
}