Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 03:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Do not log SOCKS passwords by default.

Browse source 
This introduces a new option, SOCKS::default_capture_password which can
be used to specify if Socks passwords are logged by default

Like fot FTP/HTTP, this option is set to false by default.

Addresses BIT-1791
This commit is contained in:
Johanna Amann 2017-12-01 14:35:51 -08:00
parent 1f6954ca3e
commit 8ba5c03538
5 changed files with 54 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

8
NEWS
View file

@ -48,6 +48,14 @@ Changed Functionality
event is considered deprecated and will be removed in a future event is considered deprecated and will be removed in a future
version of Bro. version of Bro.
- The Socks analyzer does no longer log passwords by default. This
brings its behavior in line with the FTP/HTTP analyzers which also
do not log passwords by default.
To restore the previous behavior and log Socks passwords, use:
redef SOCKS::default_capture_password = T;
Removed Functionality Removed Functionality
--------------------- ---------------------

31
scripts/base/protocols/socks/main.bro
View file

@ -6,32 +6,38 @@ module SOCKS;
export { export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
## This setting changes if passwords are captured or
## not.
const default_capture_password = F &redef;
## The record type which contains the fields of the SOCKS log. ## The record type which contains the fields of the SOCKS log.
type Info: record { type Info: record {
## Time when the proxy connection was first detected. ## Time when the proxy connection was first detected.
ts: time &log; ts: time &log;
## Unique ID for the tunnel - may correspond to connection uid ## Unique ID for the tunnel - may correspond to connection uid
## or be non-existent. ## or be non-existent.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports. ## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Protocol version of SOCKS. ## Protocol version of SOCKS.
version: count &log; version: count &log;
## Username used to request a login to the proxy. ## Username used to request a login to the proxy.
user: string &log &optional; user: string &log &optional;
## Password used to request a login to the proxy. ## Password used to request a login to the proxy.
password: string &log &optional; password: string &log &optional;
## Server status for the attempt at using the proxy. ## Server status for the attempt at using the proxy.
status: string &log &optional; status: string &log &optional;
## Client requested SOCKS address. Could be an address, a name ## Client requested SOCKS address. Could be an address, a name
## or both. ## or both.
request: SOCKS::Address &log &optional; request: SOCKS::Address &log &optional;
## Client requested port. ## Client requested port.
request_p: port &log &optional; request_p: port &log &optional;
## Server bound address. Could be an address, a name or both. ## Server bound address. Could be an address, a name or both.
bound: SOCKS::Address &log &optional; bound: SOCKS::Address &log &optional;
## Server bound port. ## Server bound port.
bound_p: port &log &optional; bound_p: port &log &optional;
## Determines if the password will be captured for this request.
capture_password: bool &default=default_capture_password;
}; };
## Event that can be handled to access the SOCKS ## Event that can be handled to access the SOCKS
@ -93,7 +99,8 @@ event socks_login_userpass_request(c: connection, user: string, password: string
set_session(c, 5); set_session(c, 5);
c$socks$user = user; c$socks$user = user;
c$socks$password = password; if ( c$socks$capture_password )
c$socks$password = password;
} }
event socks_login_userpass_reply(c: connection, code: count) &priority=5 event socks_login_userpass_reply(c: connection, code: count) &priority=5

10
testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path socks
#open 2017-12-01-22-33-17
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user password status request.host request.name request_p bound.host bound.name bound_p
#types time string addr port addr port count string string string addr string port addr string port
1368517392.724989 CHhAvVGS1DHFjwGM9 192.168.0.2 55951 192.168.0.1 1080 5 bob - succeeded 192.168.0.2 - 22 192.168.0.1 - 55951
#close 2017-12-01-22-33-17

10
testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2017-12-01-22-33-17
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1368517392.728523 - 192.168.0.2 0 192.168.0.1 1080 Tunnel::SOCKS Tunnel::DISCOVER
#close 2017-12-01-22-33-17

6
testing/btest/scripts/base/protocols/socks/socks-auth.bro
View file

@ -3,3 +3,9 @@
# @TEST-EXEC: btest-diff tunnel.log # @TEST-EXEC: btest-diff tunnel.log
@load base/protocols/socks @load base/protocols/socks
redef SOCKS::default_capture_password = T;
@TEST-START-NEXT
@load base/protocols/socks