Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/awelzel/quic-ldap-event-prototypes'

Browse source 
* origin/topic/awelzel/quic-ldap-event-prototypes:
  ldap: Use longer event names
  ldap: Add spicy-events.zeek
  quic: Add spicy-events.zeek
This commit is contained in:
Arne Welzel 2023-10-19 11:08:07 +02:00
commit a503c2a672
9 changed files with 236 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

11
CHANGES
View file

@ -1,3 +1,14 @@
6.2.0-dev.17 | 2023-10-19 11:08:07 +0200
* ldap: Use longer event names (Arne Welzel, Corelight)
It's unusual to compress and shorten event names of protocol analyzers,
switch to a slightly longer name instead.
* ldap: Add spicy-events.zeek (Arne Welzel, Corelight)
* quic: Add spicy-events.zeek (Arne Welzel, Corelight)
6.2.0-dev.13 | 2023-10-18 12:05:24 -0700 6.2.0-dev.13 | 2023-10-18 12:05:24 -0700
* Add new SSH key exchange algorithms reported by OpenSSH 9.0 (Tim Wojtulewicz, Corelight) * Add new SSH key exchange algorithms reported by OpenSSH 9.0 (Tim Wojtulewicz, Corelight)

2
VERSION
View file

@ -1 +1 @@
6.2.0-dev.13 6.2.0-dev.17

1
scripts/base/protocols/ldap/__load__.zeek
View file

@ -1,4 +1,5 @@
@if ( have_spicy_analyzers() ) @if ( have_spicy_analyzers() )
@load ./spicy-events.zeek
@load-sigs ./dpd.sig @load-sigs ./dpd.sig
@load ./consts @load ./consts
@load ./main.zeek @load ./main.zeek

48
scripts/base/protocols/ldap/main.zeek
View file

@ -113,16 +113,6 @@ export {
# to the logging framework. # to the logging framework.
global log_ldap: event(rec: LDAP::MessageInfo); global log_ldap: event(rec: LDAP::MessageInfo);
global log_ldap_search: event(rec: LDAP::SearchInfo); global log_ldap_search: event(rec: LDAP::SearchInfo);
# Event called for each LDAP message (either direction)
global LDAP::message: event(c: connection,
message_id: int,
opcode: LDAP::ProtocolOpcode,
result: LDAP::ResultCode,
matched_dn: string,
diagnostic_message: string,
object: string,
argument: string);
} }
redef record connection += { redef record connection += {
@ -268,16 +258,16 @@ event LDAP::message(c: connection,
} }
############################################################################# #############################################################################
event LDAP::searchreq(c: connection, event LDAP::search_request(c: connection,
message_id: int, message_id: int,
base_object: string, base_object: string,
scope: LDAP::SearchScope, scope: LDAP::SearchScope,
deref: LDAP::SearchDerefAlias, deref: LDAP::SearchDerefAlias,
size_limit: int, size_limit: int,
time_limit: int, time_limit: int,
types_only: bool, types_only: bool,
filter: string, filter: string,
attributes: vector of string) { attributes: vector of string) {
set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_REQUEST); set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_REQUEST);
@ -306,9 +296,9 @@ event LDAP::searchreq(c: connection,
} }
############################################################################# #############################################################################
event LDAP::searchres(c: connection, event LDAP::search_result(c: connection,
message_id: int, message_id: int,
object_name: string) { object_name: string) {
set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY); set_session(c, message_id, LDAP::ProtocolOpcode_SEARCH_RESULT_ENTRY);
@ -316,12 +306,12 @@ event LDAP::searchres(c: connection,
} }
############################################################################# #############################################################################
event LDAP::bindreq(c: connection, event LDAP::bind_request(c: connection,
message_id: int, message_id: int,
version: int, version: int,
name: string, name: string,
authType: LDAP::BindAuthType, authType: LDAP::BindAuthType,
authInfo: string) { authInfo: string) {
set_session(c, message_id, LDAP::ProtocolOpcode_BIND_REQUEST); set_session(c, message_id, LDAP::ProtocolOpcode_BIND_REQUEST);
if ( ! c$ldap$messages[message_id]?$version ) if ( ! c$ldap$messages[message_id]?$version )

100
scripts/base/protocols/ldap/spicy-events.zeek Normal file
View file

@ -0,0 +1,100 @@
##! Events generated by the LDAP analyzer.
##!
##! See See `RFC4511 <https://tools.ietf.org/html/rfc4511>`__.
## Event generated for each LDAPMessage (either direction).
##
## c: The connection.
##
## message_id: The messageID element.
##
## opcode: The protocolOp field in the message.
##
## result: The result code if the message contains a result.
##
## matched_dn: The DN if the message contains a result.
##
## diagnostic_message: Diagnostic message if the LDAP message contains a result.
##
## object: The object name this message refers to.
##
## argument: Additional arguments this message includes.
global LDAP::message: event(
c: connection,
message_id: int,
opcode: LDAP::ProtocolOpcode,
result: LDAP::ResultCode,
matched_dn: string,
diagnostic_message: string,
object: string,
argument: string
);
## Event generated for each LDAPMessage containing a BindRequest.
##
## c: The connection.
##
## message_id: The messageID element.
##
## version: The version field in the BindRequest.
##
## name: The name field in the BindRequest.
##
## auth_type: The auth type field in the BindRequest.
##
## auth_info: Additional information related to the used auth type.
global LDAP::bind_request: event(
c: connection,
message_id: int,
version: int,
name: string,
auth_type: LDAP::BindAuthType,
auth_info: string
);
## Event generated for each LDAPMessage containing a SearchRequest.
##
## c: The connection.
##
## message_id: The messageID element.
##
## base_object: The baseObject field in the SearchRequest.
##
## scope: The scope field in the SearchRequest.
##
## deref_alias: The derefAlias field in the SearchRequest
##
## size_limit: The sizeLimit field in the SearchRequest.
##
## time_limit: The timeLimit field in the SearchRequest.
##
## types_only: The typesOnly field in the SearchRequest.
##
## filter: The string representation of the filter field in the SearchRequest.
##
## attributes: Additional attributes of the SearchRequest.
global LDAP::search_request: event (
c: connection,
message_id: int,
base_object: string,
scope: LDAP::SearchScope,
deref: LDAP::SearchDerefAlias,
size_limit: int,
time_limit: int,
types_only: bool,
filter: string,
attributes: vector of string
);
## Event generated for each SearchResultEntry in LDAP messages.
##
## c: The connection.
##
## message_id: The messageID element.
##
## object_name: The object name in the SearchResultEntry.
global LDAP::search_result: event (
c: connection,
message_id: int,
object_name: string
);

1
scripts/base/protocols/quic/__load__.zeek
View file

@ -1,4 +1,5 @@
@ifdef ( Analyzer::ANALYZER_QUIC ) @ifdef ( Analyzer::ANALYZER_QUIC )
@load ./spicy-events
@load ./consts @load ./consts
@load ./main @load ./main
@endif @endif

82
scripts/base/protocols/quic/spicy-events.zeek Normal file
View file

@ -0,0 +1,82 @@
##! Events generated by the QUIC analyzer.
##!
##! See See `RFC9000 <https://tools.ietf.org/html/rfc9000>`__.
## Generated for a QUIC Initial packet.
##
## c: The connection.
##
## is_orig: True if the packet is from the the connection's originator.
##
## version: The Version field.
##
## dcid: The Destination Connection ID field.
##
## scid: The Source Connection ID field.
##
global QUIC::initial_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
## Generated for a QUIC Retry packet.
##
## c: The connection.
##
## is_orig: True if the packet is from the the connection's originator.
##
## version: The Version field.
##
## dcid: The Destination Connection ID field.
##
## scid: The Source Connection ID field.
##
## retry_token: The Retry Token field.
##
## integrity_tag: The Retry Integrity Tag field.
global QUIC::retry_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, retry_token: string, retry_integrity_tag: string);
## Generated for a QUIC Handshake packet.
##
## c: The connection.
##
## is_orig: True if the packet is from the the connection's originator.
##
## version: The Version field.
##
## dcid: The Destination Connection ID field.
##
## scid: The Source Connection ID field.
global QUIC::handshake_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
## Generated for a QUIC 0-RTT packet.
##
## c: The connection.
##
## is_orig: True if the packet is from the the connection's originator.
##
## version: The Version field.
##
## dcid: The Destination Connection ID field.
##
## scid: The Source Connection ID field.
global QUIC::zero_rtt_packet: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string);
## Generated for a QUIC CONNECTION_CLOSE frame.
##
## c: The connection.
##
## is_orig: True if the packet is from the the connection's originator.
##
## version: The Version field.
##
## dcid: The Destination Connection ID field.
##
## scid: The Source Connection ID field.
##
## error_code: Count indicating the reason for closing this connection.
##
## reason_phrase: Additional diagnostic information for the closure.
##
## .. note:: Packets with CONNECTION_CLOSE frames are usually encrypted after connection establishment and not visible to Zeek.
global QUIC::connection_close_frame: event(c: connection, is_orig: bool, version: count, dcid: string, scid: string, error_code: count, reason_phrase: string);

38
src/analyzer/protocol/ldap/ldap.evt
View file

@ -20,24 +20,24 @@ on LDAP::Message -> event LDAP::message($conn,
self.obj, self.obj,
self.arg); self.arg);
on LDAP::BindRequest -> event LDAP::bindreq($conn, on LDAP::BindRequest -> event LDAP::bind_request($conn,
message.messageID, message.messageID,
self.version, self.version,
self.name, self.name,
self.authType, self.authType,
message.arg); message.arg);
on LDAP::SearchRequest -> event LDAP::searchreq($conn, on LDAP::SearchRequest -> event LDAP::search_request($conn,
message.messageID, message.messageID,
self.baseObject, self.baseObject,
self.scope, self.scope,
self.deref, self.deref,
self.sizeLimit, self.sizeLimit,
self.timeLimit, self.timeLimit,
self.typesOnly, self.typesOnly,
self.filter, self.filter,
self.attributes); self.attributes);
on LDAP::SearchResultEntry -> event LDAP::searchres($conn, on LDAP::SearchResultEntry -> event LDAP::search_result($conn,
message.messageID, message.messageID,
self.objectName); self.objectName);

2
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -407,6 +407,7 @@ scripts/base/init-default.zeek
scripts/base/protocols/krb/consts.zeek scripts/base/protocols/krb/consts.zeek
scripts/base/protocols/krb/files.zeek scripts/base/protocols/krb/files.zeek
scripts/base/protocols/ldap/__load__.zeek scripts/base/protocols/ldap/__load__.zeek
scripts/base/protocols/ldap/spicy-events.zeek
scripts/base/protocols/ldap/consts.zeek scripts/base/protocols/ldap/consts.zeek
scripts/base/protocols/ldap/main.zeek scripts/base/protocols/ldap/main.zeek
scripts/base/protocols/modbus/__load__.zeek scripts/base/protocols/modbus/__load__.zeek
@ -425,6 +426,7 @@ scripts/base/init-default.zeek
scripts/base/protocols/ntp/consts.zeek scripts/base/protocols/ntp/consts.zeek
scripts/base/protocols/pop3/__load__.zeek scripts/base/protocols/pop3/__load__.zeek
scripts/base/protocols/quic/__load__.zeek scripts/base/protocols/quic/__load__.zeek
scripts/base/protocols/quic/spicy-events.zeek
scripts/base/protocols/quic/consts.zeek scripts/base/protocols/quic/consts.zeek
scripts/base/protocols/quic/main.zeek scripts/base/protocols/quic/main.zeek
scripts/base/protocols/radius/__load__.zeek scripts/base/protocols/radius/__load__.zeek