Merge remote-tracking branch 'origin/master' into topic/seth/file-entropy

# Conflicts: # scripts/test-all-policy.bro # testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
2025-10-07 00:58:19 +00:00 · 2016-03-21 11:39:15 -04:00 · 2016-03-21 11:39:15 -04:00 · 89b4d79f93
commit 89b4d79f93
parent 2e47c277d8 33f9eca0c8
1081 changed files with 38403 additions and 11012 deletions
--- a/scripts/policy/frameworks/control/controller.bro
+++ b/scripts/policy/frameworks/control/controller.bro
@ -4,7 +4,7 @@
 ##!
 ##! It's intended to be used from the command line like this::
 ##!
-##!     bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::port=<host_port> Control::cmd=<command> [Control::arg=<arg>]
+##!     bro <scripts> frameworks/control/controller Control::host=<host_addr> Control::host_port=<host_port> Control::cmd=<command> [Control::arg=<arg>]

@load base/frameworks/control
@load base/frameworks/communication
--- a/scripts/policy/frameworks/files/extract-all-files.bro
+++ b/scripts/policy/frameworks/files/extract-all-files.bro
@ -0,0 +1,8 @@
+##! Extract all files to disk.
+
+@load base/files/extract
+
+event file_new(f: fa_file)
+	{
+	Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
+	}
--- a/scripts/policy/frameworks/files/hash-all-files.bro
+++ b/scripts/policy/frameworks/files/hash-all-files.bro
@ -1,5 +1,7 @@
 ##! Perform MD5 and SHA1 hashing on all files.

+@load base/files/hash
+
 event file_new(f: fa_file)
 	{
 	Files::add_analyzer(f, Files::ANALYZER_MD5);
--- a/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro
+++ b/scripts/policy/frameworks/intel/seen/pubkey-hashes.bro
@ -0,0 +1,11 @@
+@load base/frameworks/intel
+@load ./where-locations
+
+event ssh_server_host_key(c: connection, hash: string)
+	{
+	local seen = Intel::Seen($indicator=hash,
+				 $indicator_type=Intel::PUBKEY_HASH,
+				 $conn=c,
+				 $where=SSH::IN_SERVER_HOST_KEY);
+	Intel::seen(seen);
+	}
--- a/scripts/policy/frameworks/intel/seen/ssl.bro
+++ b/scripts/policy/frameworks/intel/seen/ssl.bro
@ -10,3 +10,16 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
 		             $conn=c,
 		             $where=SSL::IN_SERVER_NAME]);
 	}
+
+event ssl_established(c: connection)
+	{
+	if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
+	     ! c$ssl$cert_chain[0]?$x509 )
+		return;
+
+	if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
+		Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
+			$indicator_type=Intel::DOMAIN,
+			$conn=c,
+			$where=X509::IN_CERT]);
+	}
--- a/scripts/policy/frameworks/intel/seen/where-locations.bro
+++ b/scripts/policy/frameworks/intel/seen/where-locations.bro
@ -21,6 +21,7 @@ export {
 		SMTP::IN_REPLY_TO,
 		SMTP::IN_X_ORIGINATING_IP_HEADER,
 		SMTP::IN_MESSAGE,
+		SSH::IN_SERVER_HOST_KEY,
 		SSL::IN_SERVER_NAME,
 		SMTP::IN_HEADER,
 		X509::IN_CERT,
--- a/scripts/policy/frameworks/intel/seen/x509.bro
+++ b/scripts/policy/frameworks/intel/seen/x509.bro
@ -2,6 +2,18 @@
@load base/files/x509
@load ./where-locations

+event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
+	{
+	if ( ext?$dns )
+		{
+		for ( i in ext$dns )
+			Intel::seen([$indicator=ext$dns[i],
+				$indicator_type=Intel::DOMAIN,
+				$f=f,
+				$where=X509::IN_CERT]);
+		}
+	}
+
 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
 	{
 	if ( /emailAddress=/ in cert$subject )
--- a/scripts/policy/frameworks/software/windows-version-detection.bro
+++ b/scripts/policy/frameworks/software/windows-version-detection.bro
@ -53,7 +53,7 @@ export {

 event HTTP::log_http(rec: HTTP::Info) &priority=5
        {
-        if ( rec?$host && rec?$user_agent && rec$host == "crl.microsoft.com" &&
+        if ( rec?$host && rec?$user_agent && /crl.microsoft.com/ in rec$host &&
             /Microsoft-CryptoAPI\// in rec$user_agent )
                {
                if ( rec$user_agent !in crypto_api_mapping )