Merge branch 'topic/tunnels' of git://git.bro-ids.org/bro into topic/tunnels

2025-10-09 18:18:19 +00:00 · 2012-04-23 13:24:36 -05:00 · 2012-04-23 13:24:36 -05:00 · ae96314196
commit ae96314196
parent 5ce00bda8a e2da969415
20 changed files with 695 additions and 2 deletions
--- a/scripts/base/frameworks/dpd/dpd.sig
+++ b/scripts/base/frameworks/dpd/dpd.sig
@ -149,3 +149,40 @@ signature dpd_ssl_client {
  payload /^(\x16\x03[\x00\x01\x02]..\x01...\x03[\x00\x01\x02]|...?\x01[\x00\x01\x02][\x02\x03]).*/
  tcp-state originator
 }
+
+#signature dpd_ayiya {
+#  ip-proto = udp
+#  payload /^..\x11\x29/
+#  enable "ayiya"
+#}
+
+signature dpd_socks_client {
+	ip-proto == tcp
+	# '32' is a rather arbitrary max length for the user name.
+	payload /^\x04[\x01\x02].{0,32}\x00/
+	tcp-state originator
+}
+
+signature dpd_socks_server {
+	ip-proto == tcp
+	requires-reverse-signature dpd_socks_client
+	payload /^\x00[\x5a\x5b\x5c\x5d]/
+	tcp-state responder
+	enable "socks"
+}
+
+signature dpd_socks_reverse_client {
+	ip-proto == tcp
+	# '32' is a rather arbitrary max length for the user name.
+	payload /^\x04[\x01\x02].{0,32}\x00/
+	tcp-state responder
+}
+
+signature dpd_socks_reverse_server {
+	ip-proto == tcp
+	requires-reverse-signature dpd_socks_client
+	payload /^\x00[\x5a\x5b\x5c\x5d]/
+	tcp-state originator
+	enable "socks"
+}
+
--- a/scripts/base/frameworks/tunnels/load.bro
+++ b/scripts/base/frameworks/tunnels/load.bro
@ -0,0 +1,4 @@
+@load ./main
+
+const ports = { 5072/udp } &redef;
+redef dpd_config += { [ANALYZER_AYIYA] = [$ports = ports] };
--- a/scripts/base/frameworks/tunnels/main.bro
+++ b/scripts/base/frameworks/tunnels/main.bro
@ -0,0 +1,53 @@
+module Tunnels;
+
+export {
+	redef enum Log::ID += { LOG };
+	
+	type Action: enum {
+		DISCOVER,
+		CLOSE,
+	};
+	
+	type Info: record {
+		ts:          time    &log;
+		uid:         string  &log;
+		id:          conn_id &log;
+		action:      Action  &log;
+		tunnel_type: string  &log;
+		user:        string  &log &optional;
+	};
+	
+	global register: function(c: connection, tunnel_type: string);
+	
+	global active: table[conn_id] of Tunnels::Info = table();
+}
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(Tunnels::LOG, [$columns=Info]);
+	}
+
+function register(c: connection, tunnel_type: string)
+	{
+	local tunnel: Info;
+	tunnel$ts = network_time();
+	tunnel$uid = c$uid;
+	tunnel$id = c$id;
+	tunnel$action = DISCOVER;
+	tunnel$tunnel_type = tunnel_type;
+	
+	active[c$id] = tunnel;
+	Log::write(LOG, tunnel);
+	}
+	
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c$id in active )
+		{
+		local tunnel = active[c$id];
+		tunnel$action=CLOSE;
+		Log::write(LOG, tunnel);
+		
+		delete active[c$id];
+		}
+	}
--- a/scripts/base/init-default.bro
+++ b/scripts/base/init-default.bro
@ -29,6 +29,7 @@
@load base/frameworks/metrics
@load base/frameworks/intel
@load base/frameworks/reporter
+@load base/frameworks/tunnels

@load base/protocols/conn
@load base/protocols/dns
@ -36,6 +37,7 @@
@load base/protocols/http
@load base/protocols/irc
@load base/protocols/smtp
+@load base/protocols/socks
@load base/protocols/ssh
@load base/protocols/ssl
@load base/protocols/syslog
--- a/scripts/base/protocols/socks/load.bro
+++ b/scripts/base/protocols/socks/load.bro
@ -0,0 +1 @@
+@load ./main
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@ -0,0 +1,116 @@
+@load base/frameworks/tunnels
+
+module SOCKS;
+
+export {
+	type RequestType: enum {
+		CONNECTION = 1,
+		PORT       = 2,
+	};
+}
+
+event socks_request(c: connection, request_type: count, dstaddr: addr, dstname: string, p: port, user: string)
+	{
+	Tunnels::register(c, "SOCKS");
+	}
+
+#
+#global output = open_log_file("socks");
+#
+#type socks_conn: record {
+#	id: conn_id;
+#	t: time;
+#	req: socks_request_type &optional;
+#	dstaddr: addr &optional;
+#	dstname: string &optional;
+#	p: port &optional;
+#	user: string &optional;
+#	service: string &optional;
+#	variant: string &default = "SOCKS v4";
+#	granted: string &default = "no-reply";
+#};
+#
+#
+#global conns: table[conn_id] of socks_conn;
+#global proxies: set[addr] &read_expire = 24hrs;
+#
+#event socks_request(c: connection, t: socks_request_type, dstaddr: addr, dstname: string, p: port, user: string)
+#	{
+#	local id = c$id;
+#
+#	local sc: socks_conn;
+#	sc$id = id;
+#	sc$t = c$start_time;
+#	sc$req = t;
+#	
+#	if ( dstaddr != 0.0.0.0 )
+#		sc$dstaddr = dstaddr;
+#	
+#	if ( dstname != "" )
+#		sc$dstname = dstname;
+#	
+#	if ( p != 0/tcp )
+#		sc$p = p;
+#	
+#	if ( user != "" )
+#		sc$user = user;
+#	
+#	conns[id] = sc;
+#	}
+#
+#event socks_reply(c: connection, granted: bool, dst: addr, p: port)
+#	{
+#	local id = c$id;
+#	local sc: socks_conn;
+#	
+#	if ( id in conns )
+#		sc = conns[id];
+#	else
+#		{
+#		sc$id = id;
+#		sc$t = c$start_time;
+#		conns[id] = sc;
+#		}
+#
+#	sc$granted = granted ? "ok" : "denied";
+#	
+#	local proxy = c$id$resp_h;
+#	
+#	if ( proxy !in proxies )
+#		{
+#		NOTICE([$note=SOCKSProxy, $src=proxy, $sub=sc$variant,
+#				   $msg=fmt("SOCKS proxy seen at %s (%s)", proxy, sc$variant)]);
+#		add proxies[proxy];
+#		}
+#	}
+#
+#function print_conn(sc: socks_conn)
+#	{
+#	local req = "<unknown-type>";
+#	if ( sc?$req )
+#		{
+#		if ( sc$req == SOCKS_CONNECTION )
+#			req = "relay-to";
+#		if ( sc$req == SOCKS_PORT )
+#			req = "bind-port";
+#		}
+#	
+#	local p = sc?$p ? fmt("%s", sc$p) : "<no-port>";
+#	
+#	local dest = sc?$dstaddr 
+#		? (fmt("%s:%s%s", sc$dstaddr, p, (sc?$dstname ? fmt(" (%s)", sc$dstname) : "")))
+#		: (sc?$dstname ? fmt("%s:%s", sc$dstname, p) : "<no-dest>");
+#	local user = sc?$user ? fmt(" (user %s)", sc?$user) : "";
+#	
+#	local service = sc?$service ? fmt(" [%s]", sc$service) : "";
+#	
+#	print output, fmt("%.6f %s %s %s %s-> %s%s", sc$t, id_string(sc$id), req, 
+#			dest, user, sc$granted, service);
+#	}
+#
+#event connection_state_remove(c: connection)
+#	{
+#	if ( c$id in conns )
+#		print_conn(conns[c$id]);
+#	}
+#