Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/topic/johanna/socks-password'

Browse source 
* origin/topic/johanna/socks-password:
  Do not log SOCKS passwords by default.

BIT-1791 #merged
This commit is contained in:
Jon Siwek 2017-12-02 09:45:04 -06:00
commit 9d2c41a4ff
7 changed files with 62 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -1,4 +1,11 @@
2.5-362 | 2017-12-02 09:45:04 -0600
* BIT-1791: Do not log SOCKS passwords by default and add
SOCKS::default_capture_password option. (Johanna Amann)
* Add missing ; in SSL binpac parser, found by Luke Valenta. (Johanna Amann)
2.5-359 | 2017-11-29 14:01:37 -0600 2.5-359 | 2017-11-29 14:01:37 -0600
* Add --ccache option to configure script (requires CMake 3.10+). (Corelight) * Add --ccache option to configure script (requires CMake 3.10+). (Corelight)

8
NEWS
View file

@ -48,6 +48,14 @@ Changed Functionality
event is considered deprecated and will be removed in a future event is considered deprecated and will be removed in a future
version of Bro. version of Bro.
- The Socks analyzer no longer logs passwords by default. This
brings its behavior in line with the FTP/HTTP analyzers which also
do not log passwords by default.
To restore the previous behavior and log Socks passwords, use:
redef SOCKS::default_capture_password = T;
Removed Functionality Removed Functionality
--------------------- ---------------------

2
VERSION
View file

@ -1 +1 @@
2.5-359 2.5-362

31
scripts/base/protocols/socks/main.bro
View file

@ -6,32 +6,37 @@ module SOCKS;
export { export {
redef enum Log::ID += { LOG }; redef enum Log::ID += { LOG };
## Whether passwords are captured or not.
const default_capture_password = F &redef;
## The record type which contains the fields of the SOCKS log. ## The record type which contains the fields of the SOCKS log.
type Info: record { type Info: record {
## Time when the proxy connection was first detected. ## Time when the proxy connection was first detected.
ts: time &log; ts: time &log;
## Unique ID for the tunnel - may correspond to connection uid ## Unique ID for the tunnel - may correspond to connection uid
## or be non-existent. ## or be non-existent.
uid: string &log; uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports. ## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log; id: conn_id &log;
## Protocol version of SOCKS. ## Protocol version of SOCKS.
version: count &log; version: count &log;
## Username used to request a login to the proxy. ## Username used to request a login to the proxy.
user: string &log &optional; user: string &log &optional;
## Password used to request a login to the proxy. ## Password used to request a login to the proxy.
password: string &log &optional; password: string &log &optional;
## Server status for the attempt at using the proxy. ## Server status for the attempt at using the proxy.
status: string &log &optional; status: string &log &optional;
## Client requested SOCKS address. Could be an address, a name ## Client requested SOCKS address. Could be an address, a name
## or both. ## or both.
request: SOCKS::Address &log &optional; request: SOCKS::Address &log &optional;
## Client requested port. ## Client requested port.
request_p: port &log &optional; request_p: port &log &optional;
## Server bound address. Could be an address, a name or both. ## Server bound address. Could be an address, a name or both.
bound: SOCKS::Address &log &optional; bound: SOCKS::Address &log &optional;
## Server bound port. ## Server bound port.
bound_p: port &log &optional; bound_p: port &log &optional;
## Determines if the password will be captured for this request.
capture_password: bool &default=default_capture_password;
}; };
## Event that can be handled to access the SOCKS ## Event that can be handled to access the SOCKS
@ -93,7 +98,9 @@ event socks_login_userpass_request(c: connection, user: string, password: string
set_session(c, 5); set_session(c, 5);
c$socks$user = user; c$socks$user = user;
c$socks$password = password;
if ( c$socks$capture_password )
c$socks$password = password;
} }
event socks_login_userpass_reply(c: connection, code: count) &priority=5 event socks_login_userpass_reply(c: connection, code: count) &priority=5

10
testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/socks.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path socks
#open 2017-12-01-22-33-17
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version user password status request.host request.name request_p bound.host bound.name bound_p
#types time string addr port addr port count string string string addr string port addr string port
1368517392.724989 CHhAvVGS1DHFjwGM9 192.168.0.2 55951 192.168.0.1 1080 5 bob - succeeded 192.168.0.2 - 22 192.168.0.1 - 55951
#close 2017-12-01-22-33-17

10
testing/btest/Baseline/scripts.base.protocols.socks.socks-auth-2/tunnel.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path tunnel
#open 2017-12-01-22-33-17
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action
#types time string addr port addr port enum enum
1368517392.728523 - 192.168.0.2 0 192.168.0.1 1080 Tunnel::SOCKS Tunnel::DISCOVER
#close 2017-12-01-22-33-17

6
testing/btest/scripts/base/protocols/socks/socks-auth.bro
View file

@ -3,3 +3,9 @@
# @TEST-EXEC: btest-diff tunnel.log # @TEST-EXEC: btest-diff tunnel.log
@load base/protocols/socks @load base/protocols/socks
redef SOCKS::default_capture_password = T;
@TEST-START-NEXT
@load base/protocols/socks