From 5a8eac521ce01a81b6e2cf13a241433670d31265 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@icir.org>
Date: Wed, 29 Jul 2015 11:47:59 -0700
Subject: [PATCH] StartTLS support for IRC

---
 src/analyzer/protocol/irc/IRC.cc              |  41 ++++++++++++++++--
 src/analyzer/protocol/irc/IRC.h               |   6 +++
 src/analyzer/protocol/irc/events.bif          |   7 +++
 .../conn.log                                  |  10 +++++
 .../ssl.log                                   |  10 +++++
 .../x509.log                                  |  10 +++++
 testing/btest/Traces/tls/irc-starttls.pcap    | Bin 0 -> 4512 bytes
 .../scripts/base/protocols/irc/starttls.test  |   9 ++++
 8 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.irc.starttls/ssl.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.irc.starttls/x509.log
 create mode 100644 testing/btest/Traces/tls/irc-starttls.pcap
 create mode 100644 testing/btest/scripts/base/protocols/irc/starttls.test

diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
index d621ce2cce..238a058b15 100644
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@@ -2,7 +2,6 @@
 
 #include <iostream>
 #include "IRC.h"
-#include "analyzer/protocol/tcp/ContentLine.h"
 #include "NetVar.h"
 #include "Event.h"
 #include "analyzer/protocol/zip/ZIP.h"
@@ -21,8 +20,11 @@ IRC_Analyzer::IRC_Analyzer(Connection* conn)
 	resp_status = WAIT_FOR_REGISTRATION;
 	orig_zip_status = NO_ZIP;
 	resp_zip_status = NO_ZIP;
-	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, true));
-	AddSupportAnalyzer(new tcp::ContentLine_Analyzer(conn, false));
+	starttls = false;
+	cl_orig = new tcp::ContentLine_Analyzer(conn, true);
+	AddSupportAnalyzer(cl_orig);
+	cl_resp = new tcp::ContentLine_Analyzer(conn, false);
+	AddSupportAnalyzer(cl_resp);
 	}
 
 void IRC_Analyzer::Done()
@@ -34,6 +36,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	{
 	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, line, orig);
 
+	if ( starttls )
+		{
+		ForwardStream(length, line, orig);
+		return;
+		}
+
 	// check line size
 	if ( length > 512 )
 		{
@@ -98,6 +106,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		}
 	else
 		{ // get command
+		// special case that has no arguments
+		if ( myline == "STARTTLS" )
+			return;
+
 		unsigned int pos = myline.find(' ');
 		if ( pos > (unsigned int) length )
 			{
@@ -556,6 +568,10 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				}
 			break;
 
+		case 670:
+			// StartTLS success reply to StartTLS
+			StartTLS();
+
 		// All other server replies.
 		default:
 			val_list* vl = new val_list;
@@ -1169,6 +1185,25 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	return;
 	}
 
+void IRC_Analyzer::StartTLS()
+	{
+	// STARTTLS was succesful. Remove support analyzers, add SSL
+	// analyzer, and throw event signifying the change.
+	starttls = true;
+
+	RemoveSupportAnalyzer(cl_orig);
+	RemoveSupportAnalyzer(cl_resp);
+
+	Analyzer* ssl = analyzer_mgr->InstantiateAnalyzer("SSL", Conn());
+	if ( ssl )
+		AddChildAnalyzer(ssl);
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+
+	ConnectionEvent(irc_starttls, vl);
+	}
+
 vector<string> IRC_Analyzer::SplitWords(const string input, const char split)
 	{
 	vector<string> words;
diff --git a/src/analyzer/protocol/irc/IRC.h b/src/analyzer/protocol/irc/IRC.h
index bce9cdf054..82a97a4d4d 100644
--- a/src/analyzer/protocol/irc/IRC.h
+++ b/src/analyzer/protocol/irc/IRC.h
@@ -3,6 +3,7 @@
 #ifndef ANALYZER_PROTOCOL_IRC_IRC_H
 #define ANALYZER_PROTOCOL_IRC_IRC_H
 #include "analyzer/protocol/tcp/TCP.h"
+#include "analyzer/protocol/tcp/ContentLine.h"
 
 namespace analyzer { namespace irc {
 
@@ -44,6 +45,8 @@ protected:
 	int resp_zip_status;
 
 private:
+	void StartTLS();
+
 	/** \brief counts number of invalid IRC messages */
 	int invalid_msg_count;
 
@@ -60,6 +63,9 @@ private:
 	*/
 	vector<string> SplitWords(const string input, const char split);
 
+	tcp::ContentLine_Analyzer* cl_orig;
+	tcp::ContentLine_Analyzer* cl_resp;
+	bool starttls; // if true, connection has been upgraded to tls
 };
 
 } } // namespace analyzer::* 
diff --git a/src/analyzer/protocol/irc/events.bif b/src/analyzer/protocol/irc/events.bif
index 4e69b9ad33..039ec9c6a7 100644
--- a/src/analyzer/protocol/irc/events.bif
+++ b/src/analyzer/protocol/irc/events.bif
@@ -797,3 +797,10 @@ event irc_user_message%(c: connection, is_orig: bool, user: string, host: string
 ##    irc_nick_message irc_notice_message irc_oper_message irc_oper_response
 ##    irc_part_message
 event irc_password_message%(c: connection, is_orig: bool, password: string%);
+
+## Generated if a connection switched to using TLS using STARTTLS. After this
+## event no more IRC events will be raised for the connection. See the SSL
+## analyzer for related SSL events, which will now be generated.
+##
+## c: The connection.
+event irc_starttls%(c: connection%);
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
new file mode 100644
index 0000000000..a4f9d436d6
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2015-07-29-18-47-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1438145937.325196	CXWv6p3arKYeMETxOg	203.143.168.47	55123	185.18.76.170	6667	tcp	irc,ssl	4.923144	913	1903	SF	-	-	0	ShADadFRf	11	1469	9	2379	(empty)
+#close	2015-07-29-18-47-29
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/ssl.log b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/ssl.log
new file mode 100644
index 0000000000..41a49a16cc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/ssl.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open	2015-07-29-18-47-29
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	cert_chain_fuids	client_cert_chain_fuids	subject	issuer	client_subject	client_issuer
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	vector[string]	vector[string]	string	string	string	string
+1438145937.994419	CXWv6p3arKYeMETxOg	203.143.168.47	55123	185.18.76.170	6667	TLSv12	TLS_RSA_WITH_AES_256_GCM_SHA384	-	-	F	-	-	T	Fyz2bd3loV0LDM3r95	(empty)	CN=irc.joulunet.org,OU=IRCd,O=Multim,L=Pori,ST=Pori,C=FI	CN=irc.joulunet.org,OU=IRCd,O=Multim,L=Pori,ST=Pori,C=FI	-	-
+#close	2015-07-29-18-47-29
diff --git a/testing/btest/Baseline/scripts.base.protocols.irc.starttls/x509.log b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/x509.log
new file mode 100644
index 0000000000..957d807f9e
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.irc.starttls/x509.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	x509
+#open	2015-07-29-18-47-29
+#fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
+#types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
+1438145938.995683	Fyz2bd3loV0LDM3r95	3	F9435743EF353D9E	CN=irc.joulunet.org,OU=IRCd,O=Multim,L=Pori,ST=Pori,C=FI	CN=irc.joulunet.org,OU=IRCd,O=Multim,L=Pori,ST=Pori,C=FI	1436555613.000000	1751915613.000000	rsaEncryption	sha256WithRSAEncryption	rsa	4096	65537	-	-	-	-	-	T	-
+#close	2015-07-29-18-47-29
diff --git a/testing/btest/Traces/tls/irc-starttls.pcap b/testing/btest/Traces/tls/irc-starttls.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..77b244685f1e62ce97622867a5884f89fe4f37a5
GIT binary patch
literal 4512
zcmchac|29=8^GUt?#AVEEnTv8?Xq0=W=pbVNkz7jrOlQ-V@=7L&}c-Ga7UyhB8pL3
z9EB{CVQ7;fDk{xXXpE)&-gBF#lF!V4zw`M#pL^c(zUO<N?S0<o^xnEyga88gd=Wqh
z9As|0yxICs0<ebnn7}1CK++z$FDz3H01vPLU^S=71elN%_IDg9)x08XU3TA5g3ruN
z^8&WK5DBI2Edu}{5Niks4+Usl3c#M@@OU!DW(rU~v*BYv0#a4-8780D0GI$3(nAxB
zi}5A+?mKq3SR8=-szPBYtKOHN*<z)~Z7@D$bM>}?Y;*Wum@J~VHm8}Z_kjg^S3!PK
zJPkbCdkQLq<Lcaiu`zuwK;}k>!(<Vr5vPUAj9Qc_4w>h_W;$*%b=b7Y+L21Z=rKxy
zpEds08`?dJm^VoB3%rp8y-^=elQP2de56Bdi=ZbOFy=coL68oW#ROgpJsjJkgfWQ^
z7G;V{8C}=?nz_m^)RXBS91$3?+dG^Y9O}c+)nhRjt3Fx62#fIa^bQN#6%nY;@CjzP
z`+B>3G4}X{`!b-N3}5%%USYoO0p1@iCaQm7@wd69&AH9>XTk!1*25TeejTG45zK1L
z;xNcezyYp&8zWo@rxjz$n=Q(OG1@oy(PE(Wkx9qna4T^Dr;W#xD#3BR5rbDhJ05?1
zm2b;C>J2;F-xCD>Xx&wyZ$G1T9e|%u7OIY_pbDrcN&#m;F(?8jK>+Xve!v&#gOxxJ
z=z>&`0+PW&bOp*pRZ%5W5G8^ifg#WVNvI~OhAN}-s0hjnPJ>gR5EK9(xDAYf5zqoF
z02{DC9>@hJKn~n~=D-ZBLD{GVx*SzR1yBOufYm?~90#U=j0&M-lpjR^5fD&eln2m(
z2%rHfN=5O20+s+_APD#YFPMk!+6?#r0S|BpoRI<&KnyH}zmh;4-qV2qpu%}<Ed|KK
zJfZ>ykRjnn2nkQb5fLJufFmFTJRXNf@OT7=AP63^ak!%}AQ>Fuzo)e_H?3tCq+q9+
z8*3__CW%A%|4G4lEGQV$lPw5*Nq{TgrZvgAM+IZf&o0Uom&C=jd}8M0V@x_M8mkZh
zbn$r8Vc*zwmT1|IViQuvqw06cOPSq$)Q%m7^}9@`oc;&`FjPPQx(qrEa|LE5e4SXq
z2Z-kYu>=r{S&77xtVDcDA=eeWVA^bp*=rrc0v46TtD0<;JVnLf_=teDi_OR4CE+&{
zNFs>kIyRNXhYfi633kDuexHWqzlVbGZ8%HeC)q><hWiD5n&;yutaC8)VlQQhVe@!?
z+QKc$k`be_by#|A7F(aKrKRO6MqL4i@WIF7|4olXMD9x$;D`X9hzJ5!B0@nD5gfQm
z<|R*$oTT4y(VD-U70LAZ9^v(A`<0iYAbq$`(#5MtM7dRm$ahoY%*voEHn-iBHKrwj
z!XfDw)3MePe>J-KG<57ri9M7x_uarxlQQVx4OQ+=)qg6)zs*LrL^dXBCYaqnwrtB(
ze{zX8ZGK}p&%}(3PS>W11GyH55`9{=%H9Z!&KZCc!VaDLwt4$Vj96w5ypV9x<!LRb
zmO0_TLpgGG{n~`qQDmv4&oKVO6e&FSqF-q1{<H(HQtk}*$~uWRnM*!S7_e>NRF*h$
z%7*U-v^h&huD0t%2fJn*FP;vcH?=kir-wQ}i4S=7+smJ70%lA%6teA$RzF0=t3pxV
ztbp4O&L0!g_i=pJMV^ijOMQ?ow$Hb#U80onV$R~{D|#_wI@%SCE}_oD9;r{{8VnDq
zb=HWwo}wko7U7tD`))?|w+9Q#T@Y~fu0mr>;|yeLJ?f(s!Uh8O?!01Za<=IXj+p*o
zPc)@Py}a;OgsyzE-+XPL%_Vb96936cfrE-GT>2E3XQ&0Qt%z#~iCPkRC+ERKyzSNQ
zrD@x{qzoR9H~z)gZqyTGF&Kf!uDpHojaI>l!Lxd|#A623&o{11%%i+%>$eWNXCI-?
zr*FKG>}7;Y%Qu_dUU`H(eSf{%#kC#wr^N5JU5XRPjoduKT+t{uY<p~<f63wTj>(d3
zJ_sJ}s$x6VMwT>8WoZEdoghljm@T?@x4WplKzPscw6c_Q6nZ9W88$6X5NFZj7hk}S
zEf66PS+ID|f0=V|+rgZ}0Xu=vK44{(E2H=O#BQ3-gwSe2_3;|w_LnP{Bou~bFD2No
zm5!IqEZI4o{Qa;`@K9S$CZjRjiC}DXV)(Hf>v`#u;48+Saz=86-6HA3oy;4~DfAC)
z+p#RCQG@=ZA(j>I<5PEw?87NN)<eF>rUlM~pPY2)xE$R$7Hm~XYVhA*HRgxBmVKbl
z@b_1o6mefu9bnj6rb^8?XsID&S+|pOKiBIOGM=S8>R8@5wbpank*cG1wdYxO=XCEi
z#TCZMYC7?s(H-LbZuu4GJ_WgLA8v&?t;vYlYHTy!)a0L*=KSKC{|a(&evR5;vo*qw
z)PcNK*Rz7=HL_)KLmvBsl-Nv(@!dTWuHlkzn>`|JlvarKhBgn`{rb$d`^b2&E(=BH
zHoQsGf0iVy*<OA92jVX0b{+ocF3kr?k@OuG`3`I7@rK$ApPfjH?v>s-V4Asi<Ty=<
zqo7iIjbDnXfW|r+CP@ydPbw|f-mSQ4D}7k0zbwoBxU0po!dDY|&+p}2iPGJ3QA)l<
zPN&tS;`$Lma!~&cg7+^+`-qn^l~raZR8-daS<jNsSlChyrsHZ<Y8^D1C{eRH;!`eT
zmvf@EQY&Wa=89rN%b&0}A5dfYyWBbv%Mp6gB467kz?@F8Q`#Q)-A22}8;nEak1~~)
zq+eu5f#H54#qebw?RMTW5?1h;Q~;FlIK<>Xk1}}v0l+=W;JNd!O=TOmVTt>?xnNCo
zw`>@P4a@t_O=T@rtTZPdV-9G;77d;~n0(u?AhDcwj47wRC{rA~kAC&3Vfo0!Oe6CF
zfQLAEkC12pp2vW^ad=)iCy%<dir^|Yv;*B?O2L(j^O9VKn}ohkS~bC2e^M;BRPANW
zX`LWDgY^vJ^LhCpq#Rh4ChuEXncMpOMX--*W`<HiNK<`6%LVVjjvhww=%2A(p)2bp
zLq<i)noW29X!zUJ0PXYjfzM{$qiz;x?)7+Y-Y|K{|MYgN+-a4EmC{TqbtgZsZh5-v
z<#^jOl$WirOy_@>(&W+Coi1@my^iTE`6e@|>po}Y9`^&isbiC)`@#(9oFe+M@JY$o
z=G#CfJbTc@P`|T!P0YhhZxurZqsy{8bk{e%4exs;Rz+tQT;Awcp|t;Lkw{SSZG+~L
z>n97Hmw7z*I4mL>IH{4E3ARaSDJM#%d-UKNTFJUwdv84!Soiynn>`Yh^BNzr9K;TH
zYW}t*Td;z3f~Qt`Z>*XyetpUkqxPpy&orO&iAi?(KJpDS@Z7sM{l!FQp<=(Mzq~1~
zji-r)NJ`Jk9xJL>_Q>}kc$Q{A^9vlTPTLc6zWJWZjcc1TZ?r_M&%=qNUegVE@7qLZ
z7k$?>Bj_`??b5^1M}ys2h@(Pbls!59yegGfx@SFKYQie%<hl!4!Wvy8HU0bVJ=Y>1
zw7hTdUZ#BBVFSM9L)(69VcV!%Z0iT2uiZLb{r|LUGwmy7-XVqrDlQGQFipuEQB+L1
zlP?sN;icboVrDLjEDF<t+o=E*_g{#9=JX<$af^_~$gNdlx+l};Mz%kTb*x--3%$a6
z8F;SinOSjnTo%mE65jvl-c-5Wo6Ogp)`oF2H!ah6nt0vx`+qvE*FdY5iZLUX6M+(J
zpD=;ff{zj$y+@7vQDU$tQ(U}G_1-_sw-^)4_%Z?jCGfF2C{%mYT-qw^-Zeurnw2{J
z)cWqOjENmgJp-02M@Qk}&CanKQf~D}jf^iOIp=X|n)53qvm=Pl&lJg+Nu6GTTS+@B
ztT-2?{Pb6YJDY-+XQ_+w%M|bhsa6!%Ey*-`yq~hs>FHhF{sBk)sxiIP(txt_NmFCT
zcCLQ?V{=kdfWE9ow5Yx(Yb5U6-Gdcx10Job|1g&(=KX{5E`0@B*Ot+w_0C^JqHI3X
z^5C3_o!Y$Bp>Z#p28Z^Lqr+zAZb~u*>w?QSuq}7j*c&Dr^J88!ZvG+?i+wD0aBEM@
z*L6b6w7bQ+H=c$Q{i5~+!P@gS8!`poQUAT3{mf-9__+U@DfA_?ZWLo4hs<|vc;E@c
ziV3_HL>D;rsB@$H{_E&k_ri=>6Az<n7X2x@d2K+eZgdHZuEgJtvR9oQ1Nmvm=pSJ-
zue&QiQTrd*UkbM4;inbg%C{vHs90{m%!uY);F>j<es(Z%I(-4aIHHjAPkH}Vb?qJv
hZn8@*P<?`{x{!F?gyq+&V@$FC(#@Ky8_&P#_CIWv3+Dg;

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/irc/starttls.test b/testing/btest/scripts/base/protocols/irc/starttls.test
new file mode 100644
index 0000000000..c110a77c39
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/irc/starttls.test
@@ -0,0 +1,9 @@
+# @TEST-EXEC: bro -b -C -r $TRACES/tls/irc-starttls.pcap %INPUT
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ssl.log
+# @TEST-EXEC: btest-diff x509.log
+
+@load base/protocols/conn
+@load base/frameworks/dpd
+@load base/protocols/ssl
+@load base/protocols/irc