From 8ba5c035388cc52317cd81bae3c9fa3c947c7f2a Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Fri, 1 Dec 2017 14:35:51 -0800 Subject: [PATCH] Do not log SOCKS passwords by default. This introduces a new option, SOCKS::default_capture_password which can be used to specify if Socks passwords are logged by default Like fot FTP/HTTP, this option is set to false by default. Addresses BIT-1791 --- NEWS | 8 +++++ scripts/base/protocols/socks/main.bro | 33 +++++++++++-------- .../socks.log | 10 ++++++ .../tunnel.log | 10 ++++++ .../base/protocols/socks/socks-auth.bro | 6 ++++ 5 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log create mode 100644 testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log diff --git a/NEWS b/NEWS index d25c0920cf..57c03fe5c5 100644 --- a/NEWS +++ b/NEWS @@ -48,6 +48,14 @@ Changed Functionality event is considered deprecated and will be removed in a future version of Bro. +- The Socks analyzer does no longer log passwords by default. This + brings its behavior in line with the FTP/HTTP analyzers which also + do not log passwords by default. + + To restore the previous behavior and log Socks passwords, use: + + redef SOCKS::default_capture_password = T; + Removed Functionality --------------------- diff --git a/scripts/base/protocols/socks/main.bro b/scripts/base/protocols/socks/main.bro index 536e240b81..6995b5de88 100644 --- a/scripts/base/protocols/socks/main.bro +++ b/scripts/base/protocols/socks/main.bro @@ -6,32 +6,38 @@ module SOCKS; export { redef enum Log::ID += { LOG }; + ## This setting changes if passwords are captured or + ## not. + const default_capture_password = F &redef; + ## The record type which contains the fields of the SOCKS log. type Info: record { ## Time when the proxy connection was first detected. - ts: time &log; + ts: time &log; ## Unique ID for the tunnel - may correspond to connection uid ## or be non-existent. - uid: string &log; + uid: string &log; ## The connection's 4-tuple of endpoint addresses/ports. - id: conn_id &log; + id: conn_id &log; ## Protocol version of SOCKS. - version: count &log; + version: count &log; ## Username used to request a login to the proxy. - user: string &log &optional; + user: string &log &optional; ## Password used to request a login to the proxy. - password: string &log &optional; + password: string &log &optional; ## Server status for the attempt at using the proxy. - status: string &log &optional; + status: string &log &optional; ## Client requested SOCKS address. Could be an address, a name ## or both. - request: SOCKS::Address &log &optional; + request: SOCKS::Address &log &optional; ## Client requested port. - request_p: port &log &optional; + request_p: port &log &optional; ## Server bound address. Could be an address, a name or both. - bound: SOCKS::Address &log &optional; + bound: SOCKS::Address &log &optional; ## Server bound port. - bound_p: port &log &optional; + bound_p: port &log &optional; + ## Determines if the password will be captured for this request. + capture_password: bool &default=default_capture_password; }; ## Event that can be handled to access the SOCKS @@ -90,10 +96,11 @@ event socks_reply(c: connection, version: count, reply: count, sa: SOCKS::Addres event socks_login_userpass_request(c: connection, user: string, password: string) &priority=5 { # Authentication only possible with the version 5. - set_session(c, 5); + set_session(c, 5); c$socks$user = user; - c$socks$password = password; + if ( c$socks$capture_password ) + c$socks$password = password; } event socks_login_userpass_reply(c: connection, code: count) &priority=5 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log new file mode 100644 index 0000000000..2f7963dbd6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path socks +#open 2017-12-01-22-33-17 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user password status request.host request.name request_p bound.host bound.name bound_p +#types time string addr port addr port count string string string addr string port addr string port +1368517392.724989 CHhAvVGS1DHFjwGM9 192.168.0.2 55951 192.168.0.1 1080 5 bob - succeeded 192.168.0.2 - 22 192.168.0.1 - 55951 +#close 2017-12-01-22-33-17 diff --git a/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log new file mode 100644 index 0000000000..ef6bdc5b33 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open 2017-12-01-22-33-17 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +1368517392.728523 - 192.168.0.2 0 192.168.0.1 1080 Tunnel::SOCKS Tunnel::DISCOVER +#close 2017-12-01-22-33-17 diff --git a/testing/btest/scripts/base/protocols/socks/socks-auth.bro b/testing/btest/scripts/base/protocols/socks/socks-auth.bro index 2123dc1d45..d58e1b5801 100644 --- a/testing/btest/scripts/base/protocols/socks/socks-auth.bro +++ b/testing/btest/scripts/base/protocols/socks/socks-auth.bro @@ -3,3 +3,9 @@ # @TEST-EXEC: btest-diff tunnel.log @load base/protocols/socks + +redef SOCKS::default_capture_password = T; + +@TEST-START-NEXT + +@load base/protocols/socks