Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Clean up formatting.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-02-05 14:21:34 -05:00
parent aea0ae453e
commit 444ff240bd
7 changed files with 47 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/protocols/krb/files.bro
View file

@ -10,14 +10,14 @@ export {
# Client certificate # Client certificate
client_cert: Files::Info &optional; client_cert: Files::Info &optional;
# Subject of client certificate, if any # Subject of client certificate, if any
client_cert_subject:string &log &optional; client_cert_subject: string &log &optional;
# File unique ID of client cert, if any # File unique ID of client cert, if any
client_cert_fuid: string &log &optional; client_cert_fuid: string &log &optional;
# Server certificate # Server certificate
server_cert: Files::Info &optional; server_cert: Files::Info &optional;
# Subject of server certificate, if any # Subject of server certificate, if any
server_cert_subject:string &log &optional; server_cert_subject: string &log &optional;
# File unique ID of server cert, if any # File unique ID of server cert, if any
server_cert_fuid: string &log &optional; server_cert_fuid: string &log &optional;
}; };
@ -58,8 +58,8 @@ function describe_file(f: fa_file): string
} }
return cat("Serial: ", f$info$x509$certificate$serial, " Subject: ", return cat("Serial: ", f$info$x509$certificate$serial, " Subject: ",
f$info$x509$certificate$subject, " Issuer: ", f$info$x509$certificate$subject, " Issuer: ",
f$info$x509$certificate$issuer); f$info$x509$certificate$issuer);
} }
event bro_init() &priority=5 event bro_init() &priority=5
@ -103,7 +103,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
c$krb = info; c$krb = info;
Files::add_analyzer(f, Files::ANALYZER_X509); Files::add_analyzer(f, Files::ANALYZER_X509);
# always calculate hashes. They are not necessary for base scripts # Always calculate hashes. They are not necessary for base scripts
# but very useful for identification, and required for policy scripts # but very useful for identification, and required for policy scripts
Files::add_analyzer(f, Files::ANALYZER_MD5); Files::add_analyzer(f, Files::ANALYZER_MD5);
Files::add_analyzer(f, Files::ANALYZER_SHA1); Files::add_analyzer(f, Files::ANALYZER_SHA1);

33
scripts/base/protocols/krb/main.bro
View file

@ -58,7 +58,7 @@ export {
# log NEEDED_PREAUTH. # log NEEDED_PREAUTH.
"NEEDED_PREAUTH", "NEEDED_PREAUTH",
# This is a more specific version of NEEDED_PREAUTH that's used # This is a more specific version of NEEDED_PREAUTH that's used
# by Winodws AD Kerberos. # by Windows AD Kerberos.
"Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ", "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
} &redef; } &redef;
@ -82,8 +82,7 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
if ( msg?$error_text && msg$error_text in ignored_errors ) if ( msg?$error_text && msg$error_text in ignored_errors )
{ {
if ( c?$krb ) if ( c?$krb ) delete c$krb;
delete c$krb;
return; return;
} }
@ -100,23 +99,17 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
info$id = c$id; info$id = c$id;
} }
if ( ! info?$client ) if ( ! info?$client && ( msg?$client_name || msg?$client_realm ) )
if ( msg?$client_name || msg?$client_realm ) info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "",
info$client = fmt("%s%s", msg?$client_name ? msg$client_name + "/" : "", msg?$client_realm ? msg$client_realm : "");
msg?$client_realm ? msg$client_realm : "");
info$service = msg$service_name; info$service = msg$service_name;
info$result = "failed"; info$result = "failed";
info$error_code = msg$error_code; info$error_code = msg$error_code;
if ( msg?$error_text ) if ( msg?$error_text ) info$error_msg = msg$error_text;
info$error_msg = msg$error_text; else if ( msg$error_code in error_msg ) info$error_msg = error_msg[msg$error_code];
else
{
if ( msg$error_code in error_msg )
info$error_msg = error_msg[msg$error_code];
}
c$krb = info; c$krb = info;
} }
@ -158,15 +151,13 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5
{ {
if ( msg$host_addrs[i]?$ip ) if ( msg$host_addrs[i]?$ip )
{ {
if ( ! info?$network_addrs ) if ( ! info?$network_addrs ) info$network_addrs = vector();
info$network_addrs = vector();
info$network_addrs[|info$network_addrs|] = msg$host_addrs[i]$ip; info$network_addrs[|info$network_addrs|] = msg$host_addrs[i]$ip;
} }
if ( msg$host_addrs[i]?$netbios ) if ( msg$host_addrs[i]?$netbios )
{ {
if ( ! info?$netbios_addrs ) if ( ! info?$netbios_addrs ) info$netbios_addrs = vector();
info$netbios_addrs = vector();
info$netbios_addrs[|info$netbios_addrs|] = msg$host_addrs[i]$netbios; info$netbios_addrs[|info$netbios_addrs|] = msg$host_addrs[i]$netbios;
} }
} }
@ -191,8 +182,7 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
info$uid = c$uid; info$uid = c$uid;
info$id = c$id; info$id = c$id;
info$service = msg$service_name; info$service = msg$service_name;
if ( msg?$from ) if ( msg?$from ) info$from = msg$from;
info$from = msg$from;
info$till = msg$till; info$till = msg$till;
c$krb = info; c$krb = info;
@ -205,7 +195,7 @@ event krb_as_response(c: connection, msg: KDC_Response) &priority=5
if ( c?$krb && c$krb$logged ) if ( c?$krb && c$krb$logged )
return; return;
if ( c?$krb ) if ( c?$krb )
info = c$krb; info = c$krb;
if ( ! info?$ts ) if ( ! info?$ts )
@ -226,7 +216,6 @@ event krb_as_response(c: connection, msg: KDC_Response) &priority=5
event krb_as_response(c: connection, msg: KDC_Response) &priority=-5 event krb_as_response(c: connection, msg: KDC_Response) &priority=-5
{ {
Log::write(KRB::LOG, c$krb); Log::write(KRB::LOG, c$krb);
c$krb$logged = T; c$krb$logged = T;
} }

1
src/analyzer/protocol/krb/events.bif
View file

@ -157,4 +157,3 @@ event krb_cred%(c: connection, is_orig: bool, tickets: KRB::Ticket_Vector%);
## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response ## .. bro:see:: krb_as_request krb_as_response krb_tgs_request krb_tgs_response
## krb_ap_request krb_ap_response krb_priv krb_safe krb_cred ## krb_ap_request krb_ap_response krb_priv krb_safe krb_cred
event krb_error%(c: connection, msg: KRB::Error_Msg%); event krb_error%(c: connection, msg: KRB::Error_Msg%);

28
src/analyzer/protocol/krb/krb-asn1.pac
View file

@ -68,14 +68,14 @@ type ASN1Encoding = record {
}; };
type ASN1EncodingMeta = record { type ASN1EncodingMeta = record {
tag: uint8; tag : uint8;
len: uint8; len : uint8;
more_len: bytestring &length = long_len ? (len & 0x7f) : 0; more_len: bytestring &length = long_len ? (len & 0x7f) : 0;
} &let { } &let {
long_len: bool = (len & 0x80) > 0; long_len : bool = (len & 0x80) > 0;
length: uint64 = long_len ? binary_to_int64(more_len) : len; length : uint64 = long_len ? binary_to_int64(more_len) : len;
has_index: bool = (tag >= ASN1_INDEX_TAG_OFFSET); has_index : bool = (tag >= ASN1_INDEX_TAG_OFFSET);
index: uint8 = tag - ASN1_INDEX_TAG_OFFSET; index : uint8 = tag - ASN1_INDEX_TAG_OFFSET;
}; };
type ASN1OptionalEncodingMeta(is_present: bool, previous_metadata: ASN1EncodingMeta) = case is_present of { type ASN1OptionalEncodingMeta(is_present: bool, previous_metadata: ASN1EncodingMeta) = case is_present of {
@ -94,19 +94,19 @@ type ASN1OctetString = record {
}; };
type SequenceElement(grab_content: bool) = record { type SequenceElement(grab_content: bool) = record {
index_meta: ASN1EncodingMeta; index_meta : ASN1EncodingMeta;
have_content: case grab_content of { have_content : case grab_content of {
true -> data: ASN1Encoding; true -> data: ASN1Encoding;
false -> meta: ASN1EncodingMeta; false -> meta: ASN1EncodingMeta;
}; };
} &let { } &let {
index: uint8 = index_meta.index; index : uint8 = index_meta.index;
length: uint64 = index_meta.length; length : uint64 = index_meta.length;
}; };
type Array = record { type Array = record {
array_meta: ASN1EncodingMeta; array_meta : ASN1EncodingMeta;
data: ASN1Encoding[]; data : ASN1Encoding[];
}; };
function binary_to_int64(bs: bytestring): int64 function binary_to_int64(bs: bytestring): int64

10
src/analyzer/protocol/krb/krb-defs.pac
View file

@ -14,11 +14,11 @@ enum KRBMessageTypes {
# Defined by IANA in Kerberos Parameters - Pre-authentication and Typed Data # Defined by IANA in Kerberos Parameters - Pre-authentication and Typed Data
enum KRBPADataTypes { enum KRBPADataTypes {
PA_TGS_REQ = 1, PA_TGS_REQ = 1,
PA_ENC_TIMESTAMP = 2, PA_ENC_TIMESTAMP = 2,
PA_PW_SALT = 3, PA_PW_SALT = 3,
PA_PW_AS_REQ = 16, PA_PW_AS_REQ = 16,
PA_PW_AS_REP = 17, PA_PW_AS_REP = 17,
}; };
# Defined in RFC 4120 # Defined in RFC 4120

8
src/analyzer/protocol/krb/krb-padata.pac
View file

@ -127,14 +127,14 @@ type KRB_PA_Data_Optional(is_orig: bool, pkt_type: uint8, desired_index: uint8)
# #
# Note: Split off due to a BinPAC bug # Note: Split off due to a BinPAC bug
type KRB_PA_Data_Optional_Contents(is_orig: bool, is_present: bool, pkt_type: uint8, length: uint64) = case is_present of { type KRB_PA_Data_Optional_Contents(is_orig: bool, is_present: bool, pkt_type: uint8, length: uint64) = case is_present of {
true -> padata: KRB_PA_Data_Sequence(is_orig, pkt_type) &length=length; true -> padata : KRB_PA_Data_Sequence(is_orig, pkt_type) &length=length;
false -> none: empty; false -> none : empty;
}; };
# This is our main type # This is our main type
type KRB_PA_Data_Sequence(is_orig: bool, pkt_type: uint8) = record { type KRB_PA_Data_Sequence(is_orig: bool, pkt_type: uint8) = record {
meta : ASN1EncodingMeta; meta : ASN1EncodingMeta;
data : KRB_PA_Data_Container(is_orig, pkt_type, meta.tag, meta.length); data : KRB_PA_Data_Container(is_orig, pkt_type, meta.tag, meta.length);
}; };
# The data in KRB_PA_Data_Sequence is usually (and supposed to be) a sequence, which we'll parse, # The data in KRB_PA_Data_Sequence is usually (and supposed to be) a sequence, which we'll parse,

16
src/analyzer/protocol/krb/krb-protocol.pac
View file

@ -75,15 +75,15 @@ type KRB_REQ_Arg_Data(index: uint8) = case index of {
7 -> nonce : ASN1Integer; 7 -> nonce : ASN1Integer;
8 -> etype : Array; 8 -> etype : Array;
9 -> addrs : KRB_Host_Addresses; 9 -> addrs : KRB_Host_Addresses;
10 -> auth_data : ASN1OctetString; # TODO 10 -> auth_data : ASN1OctetString;
11 -> addl_tkts : KRB_Ticket_Sequence; 11 -> addl_tkts : KRB_Ticket_Sequence;
default -> unknown : bytestring &restofdata; default -> unknown : bytestring &restofdata;
}; };
type KRB_KDC_Options = record { type KRB_KDC_Options = record {
meta : ASN1EncodingMeta; meta : ASN1EncodingMeta;
pad: uint8; pad : uint8;
flags: uint32; flags : uint32;
} &let { } &let {
reserved : bool = (flags & 0x80000000) > 0; reserved : bool = (flags & 0x80000000) > 0;
forwardable : bool = (flags & 0x40000000) > 0; forwardable : bool = (flags & 0x40000000) > 0;
@ -168,8 +168,8 @@ type KRB_ERROR_Arg(is_orig: bool, error_code: int64) = record {
seq_meta: ASN1EncodingMeta; seq_meta: ASN1EncodingMeta;
args : KRB_ERROR_Arg_Data(is_orig, seq_meta.index, error_code) &length=arg_length; args : KRB_ERROR_Arg_Data(is_orig, seq_meta.index, error_code) &length=arg_length;
} &let { } &let {
process_in_parent: bool = seq_meta.index == 6; process_in_parent : bool = seq_meta.index == 6;
arg_length : uint64 = ( process_in_parent ? 0 : seq_meta.length); arg_length : uint64 = ( process_in_parent ? 0 : seq_meta.length);
}; };
type KRB_ERROR_Arg_Data(is_orig: bool, index: uint8, error_code: int64) = case index of { type KRB_ERROR_Arg_Data(is_orig: bool, index: uint8, error_code: int64) = case index of {
@ -189,8 +189,8 @@ type KRB_ERROR_Arg_Data(is_orig: bool, index: uint8, error_code: int64) = case i
}; };
type KRB_ERROR_E_Data(is_orig: bool, error_code: uint64) = case ( error_code == KDC_ERR_PREAUTH_REQUIRED ) of { type KRB_ERROR_E_Data(is_orig: bool, error_code: uint64) = case ( error_code == KDC_ERR_PREAUTH_REQUIRED ) of {
true -> padata : KRB_PA_Data_Sequence(is_orig, KRB_ERROR); true -> padata : KRB_PA_Data_Sequence(is_orig, KRB_ERROR);
false -> unknown : bytestring &restofdata; false -> unknown : bytestring &restofdata;
}; };
### KRB_SAFE ### KRB_SAFE