diff --git a/CHANGES b/CHANGES index a3c632840c..5875df659a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.4-69 | 2015-07-29 09:01:00 -0700 + + * Updated detection of Flash and AdobeAIR. (Jan Grashoefer) + + * Adding tests for Flash version parsing and browser plugin + detection. (Robin Sommer) + 2.4-63 | 2015-07-28 12:26:37 -0700 * Updating submodule(s). diff --git a/VERSION b/VERSION index c1db379cbf..6870764192 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-63 +2.4-69 diff --git a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output index 77a9f59510..114ee1dd8d 100644 --- a/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output +++ b/testing/btest/Baseline/scripts.base.frameworks.software.version-parsing/output @@ -28,6 +28,7 @@ success on: Java1.2.2-JDeveloper success on: Total Commander success on: Apple iPhone v4.3.1 Weather v1.0.0.8G4 success on: Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (S60; SymbOS; Opera Mobi/23.348; U; en) Presto/2.5.25 Version/10.54 +success on: Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 success on: wu-2.4.2-academ[BETA-18-VR14](1) success on: Zope/(Zope 2.7.8-final, python 2.3.5, darwin) ZServer/1.1 Plone/Unknown success on: Java1.3.1_04 @@ -46,3 +47,4 @@ success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.11) Gecko/2010 success on: Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2 success on: mt2/1.2.3.967 Oct 13 2010-13:40:24 ord-pixel-x2 pid 0x35a3 13731 success on: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) +success on: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0 diff --git a/testing/btest/Baseline/scripts.policy.protocols.http.flash-version/software.log b/testing/btest/Baseline/scripts.policy.protocols.http.flash-version/software.log new file mode 100644 index 0000000000..d6bc067a35 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.http.flash-version/software.log @@ -0,0 +1,12 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path software +#open 2015-07-29-15-59-23 +#fields ts host host_p software_type name version.major version.minor version.minor2 version.minor3 version.addl unparsed_version +#types time addr port enum string count count count count string string +1320279616.824058 192.168.2.76 - HTTP::BROWSER AdobeAIR 2 6 - - - Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/531.9 (KHTML, like Gecko) AdobeAIR/2.6 +1320279616.824058 192.168.2.76 - HTTP::BROWSER_PLUGIN AdobeAIR-Flash 10 2 159 1 - AdobeAIR-Flash/10,2,159,1 +1320279616.907315 208.85.41.42 80 HTTP::SERVER Apache - - - - - Apache +#close 2015-07-29-15-59-23 diff --git a/testing/btest/Traces/http/flash-version.trace b/testing/btest/Traces/http/flash-version.trace new file mode 100644 index 0000000000..2f67eb34ed Binary files /dev/null and b/testing/btest/Traces/http/flash-version.trace differ diff --git a/testing/btest/scripts/base/frameworks/software/version-parsing.bro b/testing/btest/scripts/base/frameworks/software/version-parsing.bro index 19a803cafe..f61e8a3a9e 100644 --- a/testing/btest/scripts/base/frameworks/software/version-parsing.bro +++ b/testing/btest/scripts/base/frameworks/software/version-parsing.bro @@ -106,6 +106,10 @@ global matched_software: table[string] of Software::Description = { [$name="vsFTPd", $version=[$major=2,$minor=0,$minor2=5], $unparsed_version=""], ["Apple Mail (2.1084)"] = [$name="Apple Mail", $version=[$major=2,$minor=1084], $unparsed_version=""], + ["Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = + [$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""], + ["Mozilla/5.0 (Windows; U; en) AppleWebKit/420+ (KHTML, like Gecko) AdobeAIR/1.0"] = + [$name="AdobeAIR", $version=[$major=1,$minor=0], $unparsed_version=""], }; event bro_init() diff --git a/testing/btest/scripts/policy/protocols/http/flash-version.bro b/testing/btest/scripts/policy/protocols/http/flash-version.bro new file mode 100644 index 0000000000..9357295c3c --- /dev/null +++ b/testing/btest/scripts/policy/protocols/http/flash-version.bro @@ -0,0 +1,8 @@ +# @TEST-EXEC: bro -r ${TRACES}/http/flash-version.trace %INPUT +# @TEST-EXEC: btest-diff software.log + +@load protocols/http/software +@load protocols/http/software-browser-plugins + +redef Software::asset_tracking = ALL_HOSTS; +