Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/seth/dce_rpc_fixes

Browse source
This commit is contained in:
Robin Sommer 2016-10-25 16:31:18 -07:00
commit aab3819c70
30 changed files with 415 additions and 145 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/RuleCondition.cc
View file

@ -89,6 +89,10 @@ bool RuleConditionPayloadSize::DoMatch(Rule* rule, RuleEndpointState* state,
// on the pure rules now.
return false;
if ( state->PayloadSize() == 0 )
// We are interested in the first non-empty chunk.
return false;
uint32 payload_size = uint32(state->PayloadSize());
switch ( comp ) {

6
src/RuleMatcher.cc
View file

@ -144,7 +144,7 @@ bool RuleHdrTest::operator==(const RuleHdrTest& h)
void RuleHdrTest::PrintDebug()
{
static const char* str_comp[] = { "<=", ">=", "<", ">", "==", "!=" };
static const char* str_prot[] = { "", "ip", "icmp", "tcp", "udp" };
static const char* str_prot[] = { "", "ip", "ipv6", "icmp", "icmpv6", "tcp", "udp", "next", "ipsrc", "ipdst" };
fprintf(stderr, " RuleHdrTest %s[%d:%d] %s",
str_prot[prot], offset, size, str_comp[comp]);
@ -1095,10 +1095,10 @@ void RuleMatcher::ExecRule(Rule* rule, RuleEndpointState* state, bool eos)
void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
{
state->payload_size = -1;
ExecPureRules(state, 1);
state->payload_size = -1;
loop_over_list(state->matchers, j)
state->matchers[j]->state->Clear();
}

1
src/RuleMatcher.h
View file

@ -72,6 +72,7 @@ extern uint32 id_to_uint(const char* id);
class RuleHdrTest {
public:
// Note: Adapt RuleHdrTest::PrintDebug() when changing these enums.
enum Comp { LE, GE, LT, GT, EQ, NE };
enum Prot { NOPROT, IP, IPv6, ICMP, ICMPv6, TCP, UDP, NEXT, IPSrc, IPDst };

4
src/analyzer/protocol/smb/smb1-com-open-andx.pac
View file

@ -52,7 +52,7 @@ type SMB1_open_andx_request(header: SMB_Header, offset: uint16) = record {
open_mode : uint16;
allocation_size : uint32;
timeout : uint32;
reserved : padding[2];
reserved : padding[4];
byte_count : uint16;
filename : SMB_string(header.unicode, offsetof(filename);
@ -74,7 +74,7 @@ type SMB1_open_andx_response(header: SMB_Header, offset: uint16) = record {
resource_type : uint16;
nm_pipe_status : uint16;
open_results : uint16;
reserved : padding[3];
reserved : padding[6];
byte_count : uint16;
extra_byte_parameters : bytestring &transient &length=(andx.offset == 0 || andx.offset >= (offset+offsetof(extra_byte_parameters))+2) ? 0 : (andx.offset-(offset+offsetof(extra_byte_parameters)));

18
src/analyzer/protocol/ssh/SSH.cc
View file

@ -16,7 +16,7 @@ SSH_Analyzer::SSH_Analyzer(Connection* c)
{
interp = new binpac::SSH::SSH_Conn(this);
had_gap = false;
auth_decision = AUTH_UNKNOWN;
auth_decision_made = false;
skipped_banner = false;
service_accept_size = 0;
userauth_failure_size = 0;
@ -60,7 +60,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
BifEvent::generate_ssh_encrypted_packet(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
orig, len);
if ( auth_decision != AUTH_SUCCESS )
if ( ! auth_decision_made )
ProcessEncrypted(len, orig);
return;
@ -105,10 +105,9 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
// -16.
if ( ! userauth_failure_size && (len + 16 == service_accept_size) )
{
auth_decision_made = true;
if ( ssh_auth_successful )
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
auth_decision = AUTH_SUCCESS;
return;
}
@ -132,20 +131,19 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
// another packet of the same size.
if ( len == userauth_failure_size )
{
if ( ssh_auth_failed && auth_decision != AUTH_FAILURE )
BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn());
auth_decision = AUTH_FAILURE;
if ( ssh_auth_attempted )
BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
return;
}
// ...or a success packet.
if ( len - service_accept_size == -16 )
{
auth_decision_made = true;
if ( ssh_auth_attempted )
BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true);
if ( ssh_auth_successful )
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), false);
auth_decision = AUTH_SUCCESS;
return;
}
}

6
src/analyzer/protocol/ssh/SSH.h
View file

@ -35,14 +35,12 @@ namespace analyzer {
bool had_gap;
// Packet analysis stuff
bool auth_decision_made;
bool skipped_banner;
int service_accept_size;
int userauth_failure_size;
enum AuthDecision {
AUTH_UNKNOWN, AUTH_FAILURE, AUTH_SUCCESS
} auth_decision;
};
}

89
src/analyzer/protocol/ssh/events.bif
View file

@ -8,9 +8,10 @@
## version: The identification string
##
## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
## ssh_auth_result ssh_auth_attempted ssh_capabilities
## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
## ssh2_ecc_key
event ssh_server_version%(c: connection, version: string%);
## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
@ -23,9 +24,10 @@ event ssh_server_version%(c: connection, version: string%);
## version: The identification string
##
## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
## ssh_auth_result ssh_auth_attempted ssh_capabilities
## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
## ssh2_ecc_key
event ssh_client_version%(c: connection, version: string%);
## This event is generated when an :abbr:`SSH (Secure Shell)`
@ -43,25 +45,41 @@ event ssh_client_version%(c: connection, version: string%);
## unauthenticated access, which some servers support.
##
## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
## ssh_auth_result ssh_auth_attempted ssh_capabilities
## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
## ssh2_ecc_key
event ssh_auth_successful%(c: connection, auth_method_none: bool%);
## This event is generated when an :abbr:`SSH (Secure Shell)`
## connection was determined to have had a failed authentication. This
## determination is based on packet size analysis, and errs on the
## side of caution - that is, if there's any doubt about the
## authentication failure, this event is *not* raised.
## connection was determined to have had an authentication attempt.
## This determination is based on packet size analysis, and errs
## on the side of caution - that is, if there's any doubt about
## whether or not an authenication attempt occured, this event is
## *not* raised.
##
## At this point in the protocol, all we can determine is whether
## or not the user is authenticated. We don't know if the particular
## attempt succeeded or failed, since some servers require multiple
## authentications (e.g. require both a password AND a pubkey), and
## could return an authentication failed message which is marked
## as a partial success.
##
## This event will often be raised multiple times per connection.
## In almost all connections, it will be raised once unless
##
## c: The connection over which the :abbr:`SSH (Secure Shell)`
## connection took place.
##
## authenticated: This is true if the analyzer detected a
## successful connection from the authentication attempt.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
event ssh_auth_failed%(c: connection%);
event ssh_auth_attempted%(c: connection, authenticated: bool%);
## During the initial :abbr:`SSH (Secure Shell)` key exchange, each
## endpoint lists the algorithms that it supports, in order of
@ -79,8 +97,9 @@ event ssh_auth_failed%(c: connection%);
## advertises support for, in order of preference.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh2_server_host_key
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%);
@ -95,8 +114,9 @@ event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabi
## itself, and not just the fingerprint or hash.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
event ssh2_server_host_key%(c: connection, key: string%);
@ -112,8 +132,9 @@ event ssh2_server_host_key%(c: connection, key: string%);
## e: The exponent for the serer's public host key.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities
## ssh2_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
event ssh1_server_host_key%(c: connection, p: string, e: string%);
@ -133,8 +154,9 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%);
## bytes. Note that this ignores reassembly, as this is unknown.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities
## ssh2_server_host_key ssh1_server_host_key ssh2_dh_server_params
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_server_host_key ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
@ -149,10 +171,11 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
##
## q: The DH generator.
##
## .. bro:see:: ssl_dh_server_params ssh_server_version
## ssh_client_version ssh_auth_successful ssh_auth_failed
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_encrypted_packet ssh2_gss_error ssh2_ecc_key
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
## ssh2_gss_error ssh2_ecc_key
event ssh2_dh_server_params%(c: connection, p: string, q: string%);
## In the event of a GSS-API error on the server, the server MAY send
@ -169,8 +192,9 @@ event ssh2_dh_server_params%(c: connection, p: string, q: string%);
## err_msg: Detailed human-readable error message
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities
## ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
## ssh2_dh_server_params ssh2_ecc_key
event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, err_msg: string%);
@ -188,7 +212,8 @@ event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, e
## q: The ephemeral public key
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities
## ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
## ssh2_dh_server_params ssh2_gss_error
event ssh2_ecc_key%(c: connection, is_orig: bool, q: string%);

7
src/net_util.cc
View file

@ -18,13 +18,16 @@
// Returns the ones-complement checksum of a chunk of b short-aligned bytes.
int ones_complement_checksum(const void* p, int b, uint32 sum)
{
const u_short* sp = (u_short*) p; // better be aligned!
const unsigned char* sp = (unsigned char*) p;
b /= 2; // convert to count of short's
/* No need for endian conversions. */
while ( --b >= 0 )
sum += *sp++;
{
sum += *sp + (*(sp+1) << 8);
sp += 2;
}
while ( sum > 0xffff )
sum = (sum & 0xffff) + (sum >> 16);

6
src/rule-parse.y
View file

@ -14,7 +14,7 @@ extern void end_PS();
Rule* current_rule = 0;
const char* current_rule_file = 0;
static uint8_t mask_to_len(uint32_t mask)
static uint8_t ip4_mask_to_len(uint32_t mask)
{
if ( mask == 0xffffffff )
return 32;
@ -23,7 +23,7 @@ static uint8_t mask_to_len(uint32_t mask)
uint8_t len;
for ( len = 0; len < 32 && (! (x & (1 << len))); ++len );
return len;
return 32 - len;
}
%}
@ -315,7 +315,7 @@ prefix_value:
TOK_IP
{
$$ = new IPPrefix(IPAddr(IPv4, &($1.val), IPAddr::Host),
mask_to_len($1.mask));
ip4_mask_to_len($1.mask));
}
| TOK_IP6
;