From 7dc3fca7543e293db2390c841103c3b197f630ec Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Thu, 27 Jun 2019 18:22:39 -0700 Subject: [PATCH] Remove BackDoor analyzer --- NEWS | 20 + scripts/base/frameworks/analyzer/main.zeek | 1 - scripts/base/init-bare.zeek | 18 - src/NetVar.cc | 9 - src/NetVar.h | 5 - src/Sessions.cc | 9 - src/Sessions.h | 1 - src/analyzer/Manager.cc | 7 - src/analyzer/Manager.h | 1 - src/analyzer/protocol/CMakeLists.txt | 1 - src/analyzer/protocol/backdoor/BackDoor.cc | 819 ------------------ src/analyzer/protocol/backdoor/BackDoor.h | 112 --- src/analyzer/protocol/backdoor/CMakeLists.txt | 9 - src/analyzer/protocol/backdoor/Plugin.cc | 25 - src/analyzer/protocol/backdoor/events.bif | 32 - src/analyzer/protocol/gnutella/events.bif | 12 +- src/event.bif | 12 - .../canonified_loaded_scripts.log | 1 - .../canonified_loaded_scripts.log | 1 - testing/btest/Baseline/plugins.hooks/output | 23 +- 20 files changed, 33 insertions(+), 1085 deletions(-) delete mode 100644 src/analyzer/protocol/backdoor/BackDoor.cc delete mode 100644 src/analyzer/protocol/backdoor/BackDoor.h delete mode 100644 src/analyzer/protocol/backdoor/CMakeLists.txt delete mode 100644 src/analyzer/protocol/backdoor/Plugin.cc delete mode 100644 src/analyzer/protocol/backdoor/events.bif diff --git a/NEWS b/NEWS index 29ea654d75..20711ea86d 100644 --- a/NEWS +++ b/NEWS @@ -413,6 +413,21 @@ Removed Functionality - ``print_hook`` - ``interconn_stats`` - ``interconn_remove_conn`` + - ``root_backdoor_signature_found`` + - ``napster_signature_found`` + - ``kazaa_signature_found`` + - ``gaobot_signature_found`` + - ``ftp_signature_found`` + - ``gnutella_signature_found`` + - ``http_signature_found`` + - ``irc_signature_found`` + - ``telnet_signature_found`` + - ``ssh_signature_found`` + - ``rlogin_signature_found`` + - ``smtp_signature_found`` + - ``http_proxy_signature_found`` + - ``backdoor_stats`` + - ``backdoor_remove_conn`` - The following types/records were deprecated in version 2.6 or below and are removed from this release: @@ -450,6 +465,9 @@ Removed Functionality - ``interconn_stat_period`` - ``interconn_stat_backoff`` - ``interconn_endp_stats`` + - ``backdoor_stat_period`` + - ``backdoor_stat_backoff`` + - ``backdoor_endp_stats`` - The following constants were used as part of deprecated functionality in version 2.6 or below and are removed from this release: @@ -497,6 +515,8 @@ Removed Functionality - Removed the InterConn analyzer. +- Removed the BackDoor analyzer. + Deprecated Functionality ------------------------ diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek index cfadffb739..3bfd60bfe6 100644 --- a/scripts/base/frameworks/analyzer/main.zeek +++ b/scripts/base/frameworks/analyzer/main.zeek @@ -125,7 +125,6 @@ export { ## contains legacy analyzers that are no longer supported. global disabled_analyzers: set[Analyzer::Tag] = { ANALYZER_STEPPINGSTONE, - ANALYZER_BACKDOOR, ANALYZER_TCPSTATS, } &redef; } diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek index e505698434..bfb49579cd 100644 --- a/scripts/base/init-bare.zeek +++ b/scripts/base/init-bare.zeek @@ -3864,24 +3864,6 @@ const stp_idle_min: interval &redef; ## Internal to the stepping stone detector. global stp_skip_src: set[addr] &redef; -## Deprecated. -const backdoor_stat_period: interval &redef; - -## Deprecated. -const backdoor_stat_backoff: double &redef; - -## Deprecated. -type backdoor_endp_stats: record { - is_partial: bool; - num_pkts: count; - num_8k0_pkts: count; - num_8k4_pkts: count; - num_lines: count; - num_normal_lines: count; - num_bytes: count; - num_7bit_ascii: count; -}; - ## Description of a signature match. ## ## .. zeek:see:: signature_match diff --git a/src/NetVar.cc b/src/NetVar.cc index 5ef7e9b9c5..c256cfd496 100644 --- a/src/NetVar.cc +++ b/src/NetVar.cc @@ -125,11 +125,6 @@ double stp_delta; double stp_idle_min; TableVal* stp_skip_src; -double backdoor_stat_period; -double backdoor_stat_backoff; - -RecordType* backdoor_endp_stats; - double table_expire_interval; double table_expire_delay; int table_incremental_step; @@ -381,10 +376,6 @@ void init_net_var() stp_idle_min = opt_internal_double("stp_idle_min"); stp_skip_src = internal_val("stp_skip_src")->AsTableVal(); - backdoor_stat_period = opt_internal_double("backdoor_stat_period"); - backdoor_stat_backoff = opt_internal_double("backdoor_stat_backoff"); - backdoor_endp_stats = internal_type("backdoor_endp_stats")->AsRecordType(); - orig_addr_anonymization = opt_internal_int("orig_addr_anonymization"); resp_addr_anonymization = opt_internal_int("resp_addr_anonymization"); other_addr_anonymization = opt_internal_int("other_addr_anonymization"); diff --git a/src/NetVar.h b/src/NetVar.h index 28936b9c61..5dc5fcfb79 100644 --- a/src/NetVar.h +++ b/src/NetVar.h @@ -128,11 +128,6 @@ extern double stp_delta; extern double stp_idle_min; extern TableVal* stp_skip_src; -extern double backdoor_stat_period; -extern double backdoor_stat_backoff; - -extern RecordType* backdoor_endp_stats; - extern double table_expire_interval; extern double table_expire_delay; extern int table_incremental_step; diff --git a/src/Sessions.cc b/src/Sessions.cc index 019082a6f0..5f290f5386 100644 --- a/src/Sessions.cc +++ b/src/Sessions.cc @@ -20,8 +20,6 @@ #include "analyzer/protocol/stepping-stone/SteppingStone.h" #include "analyzer/protocol/stepping-stone/events.bif.h" -#include "analyzer/protocol/backdoor/BackDoor.h" -#include "analyzer/protocol/backdoor/events.bif.h" #include "analyzer/protocol/arp/ARP.h" #include "analyzer/protocol/arp/events.bif.h" #include "Discard.h" @@ -117,13 +115,6 @@ NetSessions::NetSessions() packet_filter = 0; - build_backdoor_analyzer = - backdoor_stats || rlogin_signature_found || - telnet_signature_found || ssh_signature_found || - root_backdoor_signature_found || ftp_signature_found || - napster_signature_found || kazaa_signature_found || - http_signature_found || http_proxy_signature_found; - dump_this_packet = 0; num_packets_processed = 0; diff --git a/src/Sessions.h b/src/Sessions.h index 617ab3e52a..27b0ab474c 100644 --- a/src/Sessions.h +++ b/src/Sessions.h @@ -231,7 +231,6 @@ protected: analyzer::stepping_stone::SteppingStoneManager* stp_manager; Discarder* discarder; PacketFilter* packet_filter; - int build_backdoor_analyzer; int dump_this_packet; // if true, current packet should be recorded uint64 num_packets_processed; PacketProfiler* pkt_profiler; diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc index d62749284d..da19b7685f 100644 --- a/src/analyzer/Manager.cc +++ b/src/analyzer/Manager.cc @@ -5,7 +5,6 @@ #include "Hash.h" #include "Val.h" -#include "protocol/backdoor/BackDoor.h" #include "protocol/conn-size/ConnSize.h" #include "protocol/icmp/ICMP.h" #include "protocol/pia/PIA.h" @@ -86,7 +85,6 @@ Manager::~Manager() void Manager::InitPreScript() { // Cache these tags. - analyzer_backdoor = GetComponentTag("BACKDOOR"); analyzer_connsize = GetComponentTag("CONNSIZE"); analyzer_stepping = GetComponentTag("STEPPINGSTONE"); analyzer_tcpstats = GetComponentTag("TCPSTATS"); @@ -459,11 +457,6 @@ bool Manager::BuildInitialAnalyzerTree(Connection* conn) if ( reass ) tcp->EnableReassembly(); - if ( IsEnabled(analyzer_backdoor) ) - // Add a BackDoor analyzer if requested. This analyzer - // can handle both reassembled and non-reassembled input. - tcp->AddChildAnalyzer(new backdoor::BackDoor_Analyzer(conn), false); - if ( IsEnabled(analyzer_stepping) ) { // Add a SteppingStone analyzer if requested. The port diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h index 1f9fc21090..14bba1d115 100644 --- a/src/analyzer/Manager.h +++ b/src/analyzer/Manager.h @@ -355,7 +355,6 @@ private: analyzer_map_by_port analyzers_by_port_tcp; analyzer_map_by_port analyzers_by_port_udp; - Tag analyzer_backdoor; Tag analyzer_connsize; Tag analyzer_stepping; Tag analyzer_tcpstats; diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt index 906f5e32dc..d5024a2ff1 100644 --- a/src/analyzer/protocol/CMakeLists.txt +++ b/src/analyzer/protocol/CMakeLists.txt @@ -1,7 +1,6 @@ add_subdirectory(arp) add_subdirectory(ayiya) -add_subdirectory(backdoor) add_subdirectory(bittorrent) add_subdirectory(conn-size) add_subdirectory(dce-rpc) diff --git a/src/analyzer/protocol/backdoor/BackDoor.cc b/src/analyzer/protocol/backdoor/BackDoor.cc deleted file mode 100644 index 2e8d47d1d0..0000000000 --- a/src/analyzer/protocol/backdoor/BackDoor.cc +++ /dev/null @@ -1,819 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#include "zeek-config.h" - -#include "BackDoor.h" -#include "Event.h" -#include "Net.h" -#include "analyzer/protocol/tcp/TCP.h" - -#include "events.bif.h" - -using namespace analyzer::backdoor; - -BackDoorEndpoint::BackDoorEndpoint(tcp::TCP_Endpoint* e) - { - endp = e; - is_partial = 0; - max_top_seq = 0; - - rlogin_checking_done = 0; - rlogin_string_separator_pos = 0; - rlogin_num_null = 0; - rlogin_slash_seen = 0; - - num_pkts = num_8k0_pkts = num_8k4_pkts = - num_lines = num_normal_lines = num_bytes = num_7bit_ascii = 0; - } - -#define NORMAL_LINE_LENGTH 80 - -#define TELNET_IAC 255 -#define IS_TELNET_NEGOTIATION_CMD(c) ((c) >= 251 && (c) <= 254) - -#define DEFAULT_MTU 512 - -#define RLOGIN_MAX_SIGNATURE_LENGTH 256 - -void BackDoorEndpoint::FinalCheckForRlogin() - { - if ( ! rlogin_checking_done ) - { - rlogin_checking_done = 1; - - if ( rlogin_num_null > 0 ) - RloginSignatureFound(0); - } - } - -int BackDoorEndpoint::DataSent(double /* t */, uint64 seq, - int len, int caplen, const u_char* data, - const IP_Hdr* /* ip */, - const struct tcphdr* /* tp */) - { - if ( caplen < len ) - len = caplen; - - if ( len <= 0 ) - return 0; - - if ( endp->state == tcp::TCP_ENDPOINT_PARTIAL ) - is_partial = 1; - - uint64 ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps()); - uint64 top_seq = seq + len; - - if ( top_seq <= ack || top_seq <= max_top_seq ) - // There is no new data in this packet. - return 0; - - if ( rlogin_signature_found ) - CheckForRlogin(seq, len, data); - - if ( telnet_signature_found ) - CheckForTelnet(seq, len, data); - - if ( ssh_signature_found ) - CheckForSSH(seq, len, data); - - if ( ftp_signature_found ) - CheckForFTP(seq, len, data); - - if ( root_backdoor_signature_found ) - CheckForRootBackdoor(seq, len, data); - - if ( napster_signature_found ) - CheckForNapster(seq, len, data); - - if ( gnutella_signature_found ) - CheckForGnutella(seq, len, data); - - if ( kazaa_signature_found ) - CheckForKazaa(seq, len, data); - - if ( http_signature_found || http_proxy_signature_found ) - CheckForHTTP(seq, len, data); - - if ( smtp_signature_found ) - CheckForSMTP(seq, len, data); - - if ( irc_signature_found ) - CheckForIRC(seq, len, data); - - if ( gaobot_signature_found ) - CheckForGaoBot(seq, len, data); - - max_top_seq = top_seq; - - return 1; - } - -RecordVal* BackDoorEndpoint::BuildStats() - { - RecordVal* stats = new RecordVal(backdoor_endp_stats); - - stats->Assign(0, val_mgr->GetBool(is_partial)); - stats->Assign(1, val_mgr->GetCount(num_pkts)); - stats->Assign(2, val_mgr->GetCount(num_8k0_pkts)); - stats->Assign(3, val_mgr->GetCount(num_8k4_pkts)); - stats->Assign(4, val_mgr->GetCount(num_lines)); - stats->Assign(5, val_mgr->GetCount(num_normal_lines)); - stats->Assign(6, val_mgr->GetCount(num_bytes)); - stats->Assign(7, val_mgr->GetCount(num_7bit_ascii)); - - return stats; - } - -void BackDoorEndpoint::CheckForRlogin(uint64 seq, int len, const u_char* data) - { - if ( rlogin_checking_done ) - return; - - // Looking for pattern: - // stringstringstring/string - // where all string's are non-empty 7-bit-ascii string - // - // To avoid having to reassemble, we keep testing each byte until - // one of the following happens: - // - // - A gap in sequence number occurs - // - Four null's have been found - // - The number of bytes we examined reaches RLOGIN_MAX_SIGNATURE_LENGTH - // - An empty or non-7-bit-ascii string is found - // - if ( seq == 1 ) - { // Check if first byte is a NUL. - if ( data[0] == 0 ) - { - rlogin_num_null = 1; - - if ( ! endp->IsOrig() ) - { - RloginSignatureFound(len); - return; - } - - rlogin_string_separator_pos = 1; - - ++seq; // move past the byte - ++data; - --len; - } - else - { - rlogin_checking_done = 1; - return; - } - } - - if ( seq > max_top_seq && max_top_seq != 0 ) - { // A gap! Since we don't reassemble things, stop now. - RloginSignatureFound(0); - return; - } - - if ( seq + len <= max_top_seq ) - return; // nothing new - - if ( seq < max_top_seq ) - { // trim to just the new data - int64 delta = max_top_seq - seq; - seq += delta; - data += delta; - len -= delta; - } - - // Search for rlogin signature. - for ( int i = 0; i < len && rlogin_num_null < 4; ++i ) - { - if ( data[i] == 0 ) - { - if ( i + seq == rlogin_string_separator_pos + 1 ) - { // Empty string found. - rlogin_checking_done = 1; - return; - } - else - { - rlogin_string_separator_pos = i + seq; - ++rlogin_num_null; - } - } - - else if ( data[i] == '/' ) - { - if ( rlogin_num_null == 3 ) - { - if ( i + seq == rlogin_string_separator_pos + 1 ) - { // Empty terminal type. - rlogin_checking_done = 1; - return; - } - - rlogin_string_separator_pos = i + seq; - rlogin_slash_seen = 1; - } - } - - else if ( data[i] >= 128 ) - { // Non-7-bit-ascii - rlogin_checking_done = 1; - return; - } - } - - if ( rlogin_num_null == 4 ) - { - if ( rlogin_slash_seen ) - RloginSignatureFound(0); - else - rlogin_checking_done = 1; - - return; - } - - if ( seq + len > RLOGIN_MAX_SIGNATURE_LENGTH ) - { // We've waited for too long - RloginSignatureFound(0); - return; - } - } - -void BackDoorEndpoint::RloginSignatureFound(int len) - { - if ( rlogin_checking_done ) - return; - - rlogin_checking_done = 1; - - if ( ! rlogin_signature_found ) - return; - - endp->TCP()->ConnectionEventFast(rlogin_signature_found, { - endp->TCP()->BuildConnVal(), - val_mgr->GetBool(endp->IsOrig()), - val_mgr->GetCount(rlogin_num_null), - val_mgr->GetCount(len), - }); - } - -void BackDoorEndpoint::CheckForTelnet(uint64 /* seq */, int len, const u_char* data) - { - if ( len >= 3 && - data[0] == TELNET_IAC && IS_TELNET_NEGOTIATION_CMD(data[1]) ) - { - TelnetSignatureFound(len); - return; - } - - // Note, we do the analysis per-packet rather than on the reassembled - // stream. This is a lot more efficient as then we don't need to - // do stream reassembly; but it's potentially less accurate, and - // subject to evasion. *But*: backdoor detection is inherently - // subject to a wide variety of evasion, so allowing this form - // (which is a pain to exploit) costs little. - - num_bytes += len; - - int last_char = 0; - int offset = 0; // where we consider the latest line to have begun - int option_length = 0; // length of options in a line - - for ( int i = 0; i < len; ++i ) - { - unsigned int c = data[i]; - - if ( c == '\n' && last_char == '\r' ) - { - // Compress CRLF to just one line termination. - last_char = c; - continue; - } - - if ( c == '\n' || c == '\r' ) - { - ++num_lines; - - if ( i - offset - option_length <= NORMAL_LINE_LENGTH ) - ++num_normal_lines; - - option_length = 0; - offset = i; - } - - else if ( c == TELNET_IAC ) - { - ++option_length; - --num_bytes; - - if ( ++i < len ) - { - unsigned int code = data[i]; - if ( code == TELNET_IAC ) - // Escaped IAC. - last_char = code; - - else if ( code >= 251 && code <= 254 ) - { // 3-byte option: ignore next byte - ++i; - option_length += 2; - num_bytes -= 2; - } - - else - // XXX: We don't deal with sub option for simplicity - // although we SHOULD! - { - ++option_length; - --num_bytes; - } - } - continue; - } - - else if ( c != 0 && c < 128 ) - ++num_7bit_ascii; - - last_char = c; - } - } - -void BackDoorEndpoint::TelnetSignatureFound(int len) - { - if ( ! telnet_signature_found ) - return; - - endp->TCP()->ConnectionEventFast(telnet_signature_found, { - endp->TCP()->BuildConnVal(), - val_mgr->GetBool(endp->IsOrig()), - val_mgr->GetCount(len), - }); - } - -void BackDoorEndpoint::CheckForSSH(uint64 seq, int len, const u_char* data) - { - if ( seq == 1 && CheckForString("SSH-", data, len) && len > 4 && - (data[4] == '1' || data[4] == '2') ) - { - SignatureFound(ssh_signature_found, 1); - return; - } - - // Check for length pattern. - - if ( seq < max_top_seq || max_top_seq == 0 ) - // Retransmission involved, or first pkt => size info useless. - return; - - if ( seq > max_top_seq ) - { // Estimate number of packets in the sequence gap - int64 gap = seq - max_top_seq; - if ( gap > 0 ) - num_pkts += uint64((gap + DEFAULT_MTU - 1) / DEFAULT_MTU); - } - - ++num_pkts; - - // According to the spec: - // SSH 1.x pkts have size 8k+4 - // SSH 2.x pkts have size 8k >= 16 (most cipher blocks are 8n) - if ( len <= 127 ) - switch ( len & 7 ) { - case 0: - if ( len >= 16 ) - ++num_8k0_pkts; - break; - - case 4: - ++num_8k4_pkts; - break; - } - else - { // len is likely to be some MTU. - } - } - -void BackDoorEndpoint::CheckForRootBackdoor(uint64 seq, int len, const u_char* data) - { - // Check for root backdoor signature: an initial payload of - // exactly "# ". - if ( seq == 1 && len == 2 && ! endp->IsOrig() && - data[0] == '#' && data[1] == ' ' ) - SignatureFound(root_backdoor_signature_found); - } - -void BackDoorEndpoint::CheckForFTP(uint64 seq, int len, const u_char* data) - { - // Check for FTP signature - // - // Currently, the signatures include: "220 ", "220-" - // - // For a day's worth of LBNL FTP activity (7,229 connections), - // the distribution of the code in the first line returned by - // the server (the lines always began with a code) is: - // - // 220: 6685 - // 421: 535 - // 226: 7 - // 426: 1 - // 200: 1 - // - // The 421's are all "host does not have access" or "timeout" of - // some form, so it's not big deal with we miss them (if that helps - // keep down the false positives). - - if ( seq != 1 || endp->IsOrig() || len < 4 ) - return; - - if ( CheckForString("220", data, len) && - (data[3] == ' ' || data[3] == '-') ) - SignatureFound(ftp_signature_found); - - else if ( CheckForString("421", data, len) && - (data[3] == '-' || data[3] == ' ') ) - SignatureFound(ftp_signature_found); - } - -void BackDoorEndpoint::CheckForNapster(uint64 seq, int len, const u_char* data) - { - // Check for Napster signature "GETfoobar" or "SENDfoobar" where - // "foobar" is the Napster handle associated with the request - // (so pretty much any arbitrary identifier, but sent adjacent - // to the GET or SEND with no intervening whitespace; but also - // sent in a separate packet. - - if ( seq != 1 || ! endp->IsOrig() ) - return; - - if ( len == 3 && CheckForString("GET", data, len) ) - // GETfoobar. - SignatureFound(napster_signature_found); - - else if ( len == 4 && CheckForString("SEND", data, len) ) - // SENDfoobar. - SignatureFound(napster_signature_found); - } - -void BackDoorEndpoint::CheckForSMTP(uint64 seq, int len, const u_char* data) - { - const char* smtp_handshake[] = { "HELO", "EHLO", 0 }; - - if ( seq != 1 ) - return; - - if ( CheckForStrings(smtp_handshake, data, len) ) - SignatureFound(smtp_signature_found); - } - -void BackDoorEndpoint::CheckForIRC(uint64 seq, int len, const u_char* data) - { - if ( seq != 1 || is_partial ) - return; - - const char* irc_indicator[] = { - "ERROR", "INVITE", "ISON", "JOIN", "KICK", "NICK", - "NJOIN", "NOTICE AUTH", "OPER", "PART", "PING", "PONG", - "PRIVMSG", "SQUERY", "SQUIT", "WHO", 0, - }; - - if ( CheckForStrings(irc_indicator, data, len) ) - SignatureFound(irc_signature_found); - } - -void BackDoorEndpoint::CheckForGnutella(uint64 seq, int len, const u_char* data) - { - // After connecting to the server, the connecting client says: - // - // GNUTELLA CONNECT/\n\n - // - // The accepting server responds: - // - // GNUTELLA OK\n\n - // - // We find checking the first 8 bytes suffices, and that will - // also catch variants that use something other than "CONNECT". - - if ( seq == 1 && CheckForString("GNUTELLA ", data, len) ) - SignatureFound(gnutella_signature_found); - } - -void BackDoorEndpoint::CheckForGaoBot(uint64 seq, int len, const u_char* data) - { - if ( seq == 1 && CheckForString("220 Bot Server (Win32)", data, len) ) - SignatureFound(gaobot_signature_found); - } - -void BackDoorEndpoint::CheckForKazaa(uint64 seq, int len, const u_char* data) - { - // *Some*, though not all, KaZaa connections begin with: - // - // GIVE - - if ( seq == 1 && CheckForString("GIVE ", data, len) ) - SignatureFound(kazaa_signature_found); - } - - -int is_http_whitespace(const u_char ch) - { - return ! isprint(ch) || isspace(ch); - } - -int skip_http_whitespace(const u_char* data, int len, int max) - { - int k; - for ( k = 0; k < len; ++k ) - { - if ( ! is_http_whitespace(data[k]) ) - break; - - // Here we do not go beyond CR -- this is OK for - // processing first line of HTTP requests. However, it - // cannot be used to process multiple-line headers. - - if ( data[k] == '\015' || k == max ) - return -1; - } - - return k < len ? k : -1; - } - -int is_absolute_url(const u_char* data, int len) - { - // Look for '://' in the URL. - const char* abs_url_sig = "://"; - const char* abs_url_sig_pos = abs_url_sig; - - // Warning: the following code is NOT general for any signature string, - // but only works for specific strings like "://". - - for ( int pos = 0; pos < len; ++pos ) - { - if ( *abs_url_sig_pos == '\0' ) - return 1; - - if ( data[pos] == *abs_url_sig_pos ) - ++abs_url_sig_pos; - - else - { - if ( is_http_whitespace(data[pos]) ) - return 0; - - abs_url_sig_pos = abs_url_sig; - if ( *abs_url_sig != '\0' && - *abs_url_sig_pos == data[pos] ) - ++abs_url_sig_pos; - } - } - - return *abs_url_sig_pos == '\0'; - } - -void BackDoorEndpoint::CheckForHTTP(uint64 seq, int len, const u_char* data) - { - // According to the RFC, we should look for - // ' SP SP HTTP/ CR LF' - // where: - // - // = GET | HEAD | POST - // - // (i.e., HTTP 1.1 methods are ignored for now) - // = 1.0 | 1.1. - // - // However, this is probably too restrictive to catch 'non-standard' - // requests. Instead, we look for certain methods only in the first - // line of the first packet only. - // - // "The method is case-sensitive." -- RFC 2616 - - const char* http_method[] = { "GET", "HEAD", "POST", 0 }; - - if ( seq != 1 ) - return; // first packet only - - // Pick up the method. - int pos = skip_http_whitespace (data, len, 0); - if ( pos < 0 ) - return; - - int method; - for ( method = 0; http_method[method]; ++method ) - { - const char* s = http_method[method]; - int i; - for ( i = pos; i < len; ++i, ++s ) - if ( data[i] != *s ) - break; - - if ( *s == '\0' ) - { - pos = i; - break; - } - } - - if ( ! http_method[method] ) - return; - - if ( pos >= len || ! is_http_whitespace(data[pos]) ) - return; - - if ( http_signature_found ) - SignatureFound(http_signature_found); - - if ( http_proxy_signature_found ) - { - const u_char* rest = data + pos; - int rest_len = len - pos; - - pos = skip_http_whitespace(rest, rest_len, rest_len); - - if ( pos >= 0 ) - CheckForHTTPProxy(seq, rest_len - pos, rest + pos); - } - } - -void BackDoorEndpoint::CheckForHTTPProxy(uint64 /* seq */, int len, - const u_char* data) - { - // Proxy ONLY accepts absolute URI's: "The absoluteURI form is - // REQUIRED when the request is being made to a proxy." -- RFC 2616 - - if ( is_absolute_url(data, len) ) - SignatureFound(http_proxy_signature_found); - } - - -void BackDoorEndpoint::SignatureFound(EventHandlerPtr e, int do_orig) - { - if ( ! e ) - return; - - if ( do_orig ) - endp->TCP()->ConnectionEventFast(e, - {endp->TCP()->BuildConnVal(), val_mgr->GetBool(endp->IsOrig())}); - - else - endp->TCP()->ConnectionEventFast(e, {endp->TCP()->BuildConnVal()}); - } - - -int BackDoorEndpoint::CheckForStrings(const char** strs, - const u_char* data, int len) - { - for ( ; *strs; ++strs ) - if ( CheckForFullString(*strs, data, len) ) - return 1; - - return 0; - } - -int BackDoorEndpoint::CheckForFullString(const char* str, - const u_char* data, int len) - { - for ( ; len > 0 && *str; --len, ++data, ++str ) - if ( *str != *data ) - return 0; - - // A "full" string means a non-prefix match. - return *str == 0 && (len == 0 || *data == ' ' || *data == '\t'); - } - -int BackDoorEndpoint::CheckForString(const char* str, - const u_char* data, int len) - { - for ( ; len > 0 && *str; --len, ++data, ++str ) - if ( *str != *data ) - return 0; - - return *str == 0; - } - - -BackDoor_Analyzer::BackDoor_Analyzer(Connection* c) -: tcp::TCP_ApplicationAnalyzer("BACKDOOR", c) - { - orig_endp = resp_endp = 0; - - orig_stream_pos = resp_stream_pos = 1; - - timeout = backdoor_stat_period; - backoff = backdoor_stat_backoff; - - c->GetTimerMgr()->Add(new BackDoorTimer(network_time + timeout, this)); - } - -BackDoor_Analyzer::~BackDoor_Analyzer() - { - delete orig_endp; - delete resp_endp; - } - -void BackDoor_Analyzer::Init() - { - tcp::TCP_ApplicationAnalyzer::Init(); - - assert(TCP()); - orig_endp = new BackDoorEndpoint(TCP()->Orig()); - resp_endp = new BackDoorEndpoint(TCP()->Resp()); - } - -void BackDoor_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, - uint64 seq, const IP_Hdr* ip, int caplen) - { - Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen); - - if ( is_orig ) - orig_endp->DataSent(network_time, seq, len, caplen, data, 0, 0); - else - resp_endp->DataSent(network_time, seq, len, caplen, data, 0, 0); - } - -void BackDoor_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig) - { - Analyzer::DeliverStream(len, data, is_orig); - - if ( is_orig ) - { - orig_endp->DataSent(network_time, orig_stream_pos, - len, len, data, 0, 0); - orig_stream_pos += len; - } - - else - { - resp_endp->DataSent(network_time, resp_stream_pos, - len, len, data, 0, 0); - resp_stream_pos += len; - } - } - -void BackDoor_Analyzer::Done() - { - tcp::TCP_ApplicationAnalyzer::Done(); - - if ( ! IsFinished() ) - { - orig_endp->FinalCheckForRlogin(); - resp_endp->FinalCheckForRlogin(); - - if ( ! TCP()->Skipping() ) - StatEvent(); - - RemoveEvent(); - } - - } - -void BackDoor_Analyzer::StatTimer(double t, int is_expire) - { - if ( IsFinished() || TCP()->Skipping() ) - return; - - StatEvent(); - - if ( ! is_expire ) - { - timeout *= backoff; - timer_mgr->Add(new BackDoorTimer(t + timeout, this)); - } - } - -void BackDoor_Analyzer::StatEvent() - { - if ( ! backdoor_stats ) - return; - - TCP()->ConnectionEventFast(backdoor_stats, { - TCP()->BuildConnVal(), - orig_endp->BuildStats(), - resp_endp->BuildStats(), - }); - } - -void BackDoor_Analyzer::RemoveEvent() - { - if ( ! backdoor_remove_conn ) - return; - - TCP()->ConnectionEventFast(backdoor_remove_conn, {TCP()->BuildConnVal()}); - } - -BackDoorTimer::BackDoorTimer(double t, BackDoor_Analyzer* a) -: Timer(t, TIMER_BACKDOOR) - { - analyzer = a; - // Make sure connection does not expire. - Ref(a->Conn()); - } - -BackDoorTimer::~BackDoorTimer() - { - Unref(analyzer->Conn()); - } - -void BackDoorTimer::Dispatch(double t, int is_expire) - { - analyzer->StatTimer(t, is_expire); - } diff --git a/src/analyzer/protocol/backdoor/BackDoor.h b/src/analyzer/protocol/backdoor/BackDoor.h deleted file mode 100644 index c954d176d5..0000000000 --- a/src/analyzer/protocol/backdoor/BackDoor.h +++ /dev/null @@ -1,112 +0,0 @@ -// See the file "COPYING" in the main distribution directory for copyright. - -#ifndef ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H -#define ANALYZER_PROTOCOL_BACKDOOR_BACKDOOR_H - -#include "analyzer/protocol/tcp/TCP.h" -#include "Timer.h" -#include "NetVar.h" -#include "analyzer/protocol/login/Login.h" - -namespace analyzer { namespace backdoor { - -class BackDoorEndpoint { -public: - explicit BackDoorEndpoint(tcp::TCP_Endpoint* e); - - int DataSent(double t, uint64 seq, int len, int caplen, const u_char* data, - const IP_Hdr* ip, const struct tcphdr* tp); - - RecordVal* BuildStats(); - - void FinalCheckForRlogin(); - -protected: - void CheckForRlogin(uint64 seq, int len, const u_char* data); - void RloginSignatureFound(int len); - - void CheckForTelnet(uint64 seq, int len, const u_char* data); - void TelnetSignatureFound(int len); - - void CheckForSSH(uint64 seq, int len, const u_char* data); - void CheckForFTP(uint64 seq, int len, const u_char* data); - void CheckForRootBackdoor(uint64 seq, int len, const u_char* data); - void CheckForNapster(uint64 seq, int len, const u_char* data); - void CheckForGnutella(uint64 seq, int len, const u_char* data); - void CheckForKazaa(uint64 seq, int len, const u_char* data); - void CheckForHTTP(uint64 seq, int len, const u_char* data); - void CheckForHTTPProxy(uint64 seq, int len, const u_char* data); - void CheckForSMTP(uint64 seq, int len, const u_char* data); - void CheckForIRC(uint64 seq, int len, const u_char* data); - void CheckForGaoBot(uint64 seq, int len, const u_char* data); - - void SignatureFound(EventHandlerPtr e, int do_orig = 0); - - int CheckForStrings(const char** strs, const u_char* data, int len); - int CheckForFullString(const char* str, const u_char* data, int len); - int CheckForString(const char* str, const u_char* data, int len); - - tcp::TCP_Endpoint* endp; - int is_partial; - uint64 max_top_seq; - - int rlogin_checking_done; - int rlogin_num_null; - uint64 rlogin_string_separator_pos; - int rlogin_slash_seen; - - uint32 num_pkts; - uint32 num_8k4_pkts; - uint32 num_8k0_pkts; - uint32 num_lines; - uint32 num_normal_lines; - uint32 num_bytes; - uint32 num_7bit_ascii; -}; - -class BackDoor_Analyzer : public tcp::TCP_ApplicationAnalyzer { -public: - explicit BackDoor_Analyzer(Connection* c); - ~BackDoor_Analyzer() override; - - void Init() override; - void Done() override; - void StatTimer(double t, int is_expire); - - static analyzer::Analyzer* Instantiate(Connection* conn) - { return new BackDoor_Analyzer(conn); } - -protected: - // We support both packet and stream input, and can be instantiated - // even if the TCP analyzer is not yet reassembling. - void DeliverPacket(int len, const u_char* data, bool is_orig, - uint64 seq, const IP_Hdr* ip, int caplen) override; - void DeliverStream(int len, const u_char* data, bool is_orig) override; - - void StatEvent(); - void RemoveEvent(); - - BackDoorEndpoint* orig_endp; - BackDoorEndpoint* resp_endp; - - int orig_stream_pos; - int resp_stream_pos; - - double timeout; - double backoff; -}; - -class BackDoorTimer : public Timer { -public: - BackDoorTimer(double t, BackDoor_Analyzer* a); - ~BackDoorTimer() override; - - void Dispatch(double t, int is_expire) override; - -protected: - BackDoor_Analyzer* analyzer; -}; - -} } // namespace analyzer::* - -#endif diff --git a/src/analyzer/protocol/backdoor/CMakeLists.txt b/src/analyzer/protocol/backdoor/CMakeLists.txt deleted file mode 100644 index 66511d3d99..0000000000 --- a/src/analyzer/protocol/backdoor/CMakeLists.txt +++ /dev/null @@ -1,9 +0,0 @@ - -include(ZeekPlugin) - -include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) - -zeek_plugin_begin(Zeek BackDoor) -zeek_plugin_cc(BackDoor.cc Plugin.cc) -zeek_plugin_bif(events.bif) -zeek_plugin_end() diff --git a/src/analyzer/protocol/backdoor/Plugin.cc b/src/analyzer/protocol/backdoor/Plugin.cc deleted file mode 100644 index aeec615c50..0000000000 --- a/src/analyzer/protocol/backdoor/Plugin.cc +++ /dev/null @@ -1,25 +0,0 @@ -// See the file in the main distribution directory for copyright. - - -#include "plugin/Plugin.h" - -#include "BackDoor.h" - -namespace plugin { -namespace Zeek_BackDoor { - -class Plugin : public plugin::Plugin { -public: - plugin::Configuration Configure() - { - AddComponent(new ::analyzer::Component("BackDoor", ::analyzer::backdoor::BackDoor_Analyzer::Instantiate)); - - plugin::Configuration config; - config.name = "Zeek::BackDoor"; - config.description = "Backdoor Analyzer deprecated"; - return config; - } -} plugin; - -} -} diff --git a/src/analyzer/protocol/backdoor/events.bif b/src/analyzer/protocol/backdoor/events.bif deleted file mode 100644 index 81676ee43b..0000000000 --- a/src/analyzer/protocol/backdoor/events.bif +++ /dev/null @@ -1,32 +0,0 @@ -## Deprecated. Will be removed. -event backdoor_stats%(c: connection, os: backdoor_endp_stats, rs: backdoor_endp_stats%); - -## Deprecated. Will be removed. -event backdoor_remove_conn%(c: connection%); - -## Deprecated. Will be removed. -event ftp_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event gnutella_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event http_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event irc_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event telnet_signature_found%(c: connection, is_orig: bool, len: count%); - -## Deprecated. Will be removed. -event ssh_signature_found%(c: connection, is_orig: bool%); - -## Deprecated. Will be removed. -event rlogin_signature_found%(c: connection, is_orig: bool, num_null: count, len: count%); - -## Deprecated. Will be removed. -event smtp_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event http_proxy_signature_found%(c: connection%); diff --git a/src/analyzer/protocol/gnutella/events.bif b/src/analyzer/protocol/gnutella/events.bif index 4168646543..8b3ef2a177 100644 --- a/src/analyzer/protocol/gnutella/events.bif +++ b/src/analyzer/protocol/gnutella/events.bif @@ -4,7 +4,7 @@ ## information about the Gnutella protocol. ## ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_partial_binary_msg gnutella_signature_found +## gnutella_not_establish gnutella_partial_binary_msg ## ## ## .. todo:: Zeek's current default configuration does not activate the protocol @@ -19,7 +19,7 @@ event gnutella_text_msg%(c: connection, orig: bool, headers: string%); ## information about the Gnutella protocol. ## ## .. zeek:see:: gnutella_establish gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## gnutella_partial_binary_msg gnutella_text_msg ## ## .. todo:: Zeek's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -36,7 +36,7 @@ event gnutella_binary_msg%(c: connection, orig: bool, msg_type: count, ## information about the Gnutella protocol. ## ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_not_establish gnutella_signature_found gnutella_text_msg +## gnutella_not_establish gnutella_text_msg ## ## .. todo:: Zeek's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -51,7 +51,7 @@ event gnutella_partial_binary_msg%(c: connection, orig: bool, ## information about the Gnutella protocol. ## ## .. zeek:see:: gnutella_binary_msg gnutella_http_notify gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## gnutella_partial_binary_msg gnutella_text_msg ## ## .. todo:: Zeek's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -65,7 +65,7 @@ event gnutella_establish%(c: connection%); ## information about the Gnutella protocol. ## ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_http_notify -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## gnutella_partial_binary_msg gnutella_text_msg ## ## .. todo:: Zeek's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet @@ -79,7 +79,7 @@ event gnutella_not_establish%(c: connection%); ## information about the Gnutella protocol. ## ## .. zeek:see:: gnutella_binary_msg gnutella_establish gnutella_not_establish -## gnutella_partial_binary_msg gnutella_signature_found gnutella_text_msg +## gnutella_partial_binary_msg gnutella_text_msg ## ## .. todo:: Zeek's current default configuration does not activate the protocol ## analyzer that generates this event; the corresponding script has not yet diff --git a/src/event.bif b/src/event.bif index 79e54b9d37..2adb5532bb 100644 --- a/src/event.bif +++ b/src/event.bif @@ -799,17 +799,5 @@ event dns_mapping_altered%(dm: dns_mapping, old_addrs: addr_set, new_addrs: addr ## params: The event's parameters. event new_event%(name: string, params: call_argument_vector%); -## Deprecated. Will be removed. -event root_backdoor_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event napster_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event kazaa_signature_found%(c: connection%); - -## Deprecated. Will be removed. -event gaobot_signature_found%(c: connection%); - ## Shows an IP address anonymization mapping. event anonymization_mapping%(orig: addr, mapped: addr%); diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log index 8a1f6fd603..0169c3b838 100644 --- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log @@ -62,7 +62,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/top-k.bif.zeek build/scripts/base/bif/plugins/__load__.zeek build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_BackDoor.events.bif.zeek build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log index 361019899c..6fbc95e4ec 100644 --- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log +++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log @@ -62,7 +62,6 @@ scripts/base/init-frameworks-and-bifs.zeek build/scripts/base/bif/top-k.bif.zeek build/scripts/base/bif/plugins/__load__.zeek build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek - build/scripts/base/bif/plugins/Zeek_BackDoor.events.bif.zeek build/scripts/base/bif/plugins/Zeek_BitTorrent.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.events.bif.zeek build/scripts/base/bif/plugins/Zeek_ConnSize.functions.bif.zeek diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output index 4d70a144e8..ef7ba59161 100644 --- a/testing/btest/Baseline/plugins.hooks/output +++ b/testing/btest/Baseline/plugins.hooks/output @@ -1,4 +1,3 @@ -0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> @@ -64,7 +63,6 @@ 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> 0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> -0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) -> 0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) -> 0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> @@ -276,7 +274,7 @@ 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Broker::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Cluster::LOG)) -> 0.000000 MetaHookPost CallFunction(Log::add_default_filter, , (Config::LOG)) -> @@ -457,7 +455,7 @@ 0.000000 MetaHookPost CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) -> 0.000000 MetaHookPost CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -> -0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) -> +0.000000 MetaHookPost CallFunction(Log::write, , (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])) -> 0.000000 MetaHookPost CallFunction(NetControl::check_plugins, , ()) -> 0.000000 MetaHookPost CallFunction(NetControl::init, , ()) -> 0.000000 MetaHookPost CallFunction(Notice::want_pp, , ()) -> @@ -572,7 +570,6 @@ 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_ARP.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_AsciiReader.ascii.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_AsciiWriter.ascii.bif.zeek) -> -1 -0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_BackDoor.events.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_BinaryReader.binary.bif.zeek) -> -1 0.000000 MetaHookPost LoadFile(0, .<...>/Zeek_BitTorrent.events.bif.zeek) -> -1 @@ -892,7 +889,6 @@ 0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false 0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false 0.000000 MetaHookPost QueueEvent(zeek_init()) -> false -0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) 0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) @@ -958,7 +954,6 @@ 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_VXLAN, 4789/udp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5222/tcp)) 0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, , (Analyzer::ANALYZER_XMPP, 5269/tcp)) -0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_BACKDOOR)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_STEPPINGSTONE)) 0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, , (Analyzer::ANALYZER_TCPSTATS)) 0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, , (Analyzer::ANALYZER_AYIYA, 5072/udp)) @@ -1170,7 +1165,7 @@ 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::__create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::__write, , (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Broker::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Cluster::LOG)) 0.000000 MetaHookPre CallFunction(Log::add_default_filter, , (Config::LOG)) @@ -1351,7 +1346,7 @@ 0.000000 MetaHookPre CallFunction(Log::create_stream, , (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509])) 0.000000 MetaHookPre CallFunction(Log::create_stream, , (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql])) -0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T])) +0.000000 MetaHookPre CallFunction(Log::write, , (PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T])) 0.000000 MetaHookPre CallFunction(NetControl::check_plugins, , ()) 0.000000 MetaHookPre CallFunction(NetControl::init, , ()) 0.000000 MetaHookPre CallFunction(Notice::want_pp, , ()) @@ -1466,7 +1461,6 @@ 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_ARP.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_AsciiReader.ascii.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_AsciiWriter.ascii.bif.zeek) -0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_BackDoor.events.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_BinaryReader.binary.bif.zeek) 0.000000 MetaHookPre LoadFile(0, .<...>/Zeek_BitTorrent.events.bif.zeek) @@ -1786,7 +1780,6 @@ 0.000000 MetaHookPre QueueEvent(NetControl::init()) 0.000000 MetaHookPre QueueEvent(filter_change_tracking()) 0.000000 MetaHookPre QueueEvent(zeek_init()) -0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_BACKDOOR) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) @@ -1852,7 +1845,6 @@ 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp) 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp) -0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_BACKDOOR) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE) 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS) 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp) @@ -2063,7 +2055,7 @@ 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction Log::add_default_filter(Broker::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG) 0.000000 | HookCallFunction Log::add_default_filter(Config::LOG) @@ -2244,7 +2236,7 @@ 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird]) 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509]) 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql]) -0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T]) +0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T]) 0.000000 | HookCallFunction NetControl::check_plugins() 0.000000 | HookCallFunction NetControl::init() 0.000000 | HookCallFunction Notice::want_pp() @@ -2359,7 +2351,6 @@ 0.000000 | HookLoadFile .<...>/Zeek_ARP.events.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_AsciiReader.ascii.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_AsciiWriter.ascii.bif.zeek -0.000000 | HookLoadFile .<...>/Zeek_BackDoor.events.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_BenchmarkReader.benchmark.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_BinaryReader.binary.bif.zeek 0.000000 | HookLoadFile .<...>/Zeek_BitTorrent.events.bif.zeek @@ -2675,7 +2666,7 @@ 0.000000 | HookLoadFile base<...>/xmpp 0.000000 | HookLoadFile base<...>/zeek.bif.zeek 0.000000 | HookLogInit packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)} -0.000000 | HookLogWrite packet_filter [ts=1561683801.242144, node=zeek, filter=ip or not ip, init=T, success=T] +0.000000 | HookLogWrite packet_filter [ts=1561684839.152939, node=zeek, filter=ip or not ip, init=T, success=T] 0.000000 | HookQueueEvent NetControl::init() 0.000000 | HookQueueEvent filter_change_tracking() 0.000000 | HookQueueEvent zeek_init()