From b90351b7e6d24af40bbfcfa4ffa2a5b470b51c7d Mon Sep 17 00:00:00 2001 From: Christian Kreibich Date: Fri, 21 Apr 2023 19:24:02 +0200 Subject: [PATCH] policy: Import zeek-community-id scripts into protocols/conn frameworks/notice Slightly adapted for indentation. --- .../frameworks/notice/community-id.zeek | 35 +++++++++++++++++++ .../protocols/conn/community-id-logging.zeek | 26 ++++++++++++++ scripts/site/local.zeek | 7 ++++ scripts/test-all-policy.zeek | 2 ++ .../notice.log.cut | 3 ++ .../conn.log.cut | 2 ++ .../frameworks/notice/community-id.zeek | 31 ++++++++++++++++ .../protocols/conn/community-id-logging.zeek | 5 +++ 8 files changed, 111 insertions(+) create mode 100644 scripts/policy/frameworks/notice/community-id.zeek create mode 100644 scripts/policy/protocols/conn/community-id-logging.zeek create mode 100644 testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut create mode 100644 testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging/conn.log.cut create mode 100644 testing/btest/scripts/policy/frameworks/notice/community-id.zeek create mode 100644 testing/btest/scripts/policy/protocols/conn/community-id-logging.zeek diff --git a/scripts/policy/frameworks/notice/community-id.zeek b/scripts/policy/frameworks/notice/community-id.zeek new file mode 100644 index 0000000000..5f16b64285 --- /dev/null +++ b/scripts/policy/frameworks/notice/community-id.zeek @@ -0,0 +1,35 @@ +# Source this script in addition to protocols/conn/community-id +# to add Community ID to notices. + +# Only support loading this if the main script is also loaded. +@load base/protocols/conn +@load base/frameworks/notice + +@ifdef ( CommunityID::seed ) + +module CommunityID::Notice; + +export { + # Turn notice support on/off at runtime. When disabled, + # this still leaves the `community_id` string in the notice + # log, just unset. + option enabled: bool = T; + + redef record Notice::Info += { + community_id: string &optional &log; + }; +} + +hook Notice::notice(n: Notice::Info) + { + if ( CommunityID::Notice::enabled && n?$conn && n$conn?$conn ) + { + local info = n$conn$conn; + # This is set during new_connection(), so it should + # always be there, but better safe than sorry. + if ( info?$community_id ) + n$community_id = info$community_id; + } + } + +@endif diff --git a/scripts/policy/protocols/conn/community-id-logging.zeek b/scripts/policy/protocols/conn/community-id-logging.zeek new file mode 100644 index 0000000000..82bb9049a5 --- /dev/null +++ b/scripts/policy/protocols/conn/community-id-logging.zeek @@ -0,0 +1,26 @@ +##! Adds community hash IDs to conn.log. +@load base/protocols/conn + +module CommunityID; + +export { + # An unsigned 16-bit number to seed our hashing + option seed: count = 0; + + # Whether to add a base64 pass over the hash digest. + # Enabled by default, since it shortens the output. + option do_base64: bool = T; + + # Add the ID string field to the connection log record. + redef record Conn::Info += { + community_id: string &optional &log; + }; +} + +module Conn; + +event new_connection(c: connection) + { + Conn::set_conn(c, F); # likely first to access :-/ + c$conn$community_id = community_id_v1(c$id, CommunityID::seed, CommunityID::do_base64); + } diff --git a/scripts/site/local.zeek b/scripts/site/local.zeek index 5c72ca7c93..512b1ea9cc 100644 --- a/scripts/site/local.zeek +++ b/scripts/site/local.zeek @@ -90,6 +90,9 @@ redef digest_salt = "Please change this value."; # Extend email alerting to include hostnames @load policy/frameworks/notice/extend-email/hostnames +# Extend the notice.log with Community ID hashes +# @load policy/frameworks/notice/community-id + # Enable logging of telemetry data into telemetry.log and # telemetry_histogram.log. @load frameworks/telemetry/log @@ -98,6 +101,10 @@ redef digest_salt = "Please change this value."; # this might impact performance a bit. # @load policy/protocols/ssl/heartbleed +# Uncomment the following line to enable logging of Community ID hashes in +# the conn.log file. +# @load policy/protocols/conn/community-id-logging + # Uncomment the following line to enable logging of connection VLANs. Enabling # this adds two VLAN fields to the conn.log file. # @load policy/protocols/conn/vlan-logging diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek index 87dd2e661c..63247006d0 100644 --- a/scripts/test-all-policy.zeek +++ b/scripts/test-all-policy.zeek @@ -64,6 +64,7 @@ @load frameworks/files/hash-all-files.zeek @load frameworks/notice/__load__.zeek @load frameworks/notice/actions/drop.zeek +@load frameworks/notice/community-id.zeek @load frameworks/notice/extend-email/hostnames.zeek @load files/x509/disable-certificate-events-known-certs.zeek @load frameworks/packet-filter/shunt.zeek @@ -85,6 +86,7 @@ @load misc/weird-stats.zeek @load misc/trim-trace-file.zeek @load misc/unknown-protocols.zeek +@load protocols/conn/community-id-logging.zeek @load protocols/conn/known-hosts.zeek @load protocols/conn/known-services.zeek @load protocols/conn/mac-logging.zeek diff --git a/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut b/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut new file mode 100644 index 0000000000..7227d38c91 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.frameworks.notice.community-id/notice.log.cut @@ -0,0 +1,3 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +- - - - - - COMMUNITY_ID_INIT Zeek initializing +141.142.228.5 59856 192.150.187.43 80 tcp 1:yvyB8h+3dnggTZW0UEITWCst97w= COMMUNITY_ID_CONN_ESTABLISHED Connection establishment diff --git a/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging/conn.log.cut b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging/conn.log.cut new file mode 100644 index 0000000000..b02a020eb9 --- /dev/null +++ b/testing/btest/Baseline/scripts.policy.protocols.conn.community-id-logging/conn.log.cut @@ -0,0 +1,2 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +141.142.228.5 59856 192.150.187.43 80 tcp - 1:yvyB8h+3dnggTZW0UEITWCst97w= diff --git a/testing/btest/scripts/policy/frameworks/notice/community-id.zeek b/testing/btest/scripts/policy/frameworks/notice/community-id.zeek new file mode 100644 index 0000000000..8383017c63 --- /dev/null +++ b/testing/btest/scripts/policy/frameworks/notice/community-id.zeek @@ -0,0 +1,31 @@ +# This test verifies Community ID presence in the notice log, when +# that part of the package is loaded. The test creates one notice +# without connection state and one with, and verifies that the latter +# includes the Community ID value for it. + +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto community_id note msg < notice.log > notice.log.cut +# @TEST-EXEC: btest-diff notice.log.cut + +@load protocols/conn/community-id-logging +@load frameworks/notice/community-id + +redef enum Notice::Type += { + COMMUNITY_ID_INIT, + COMMUNITY_ID_CONN_ESTABLISHED, +}; + +event zeek_init() + { + # A notice without connection context + NOTICE([$note=COMMUNITY_ID_INIT, + $msg="Zeek initializing"]); + } + +event connection_established(c: connection) + { + # A notice with connection context + NOTICE([$note=COMMUNITY_ID_CONN_ESTABLISHED, + $msg="Connection establishment", + $conn=c]); + } diff --git a/testing/btest/scripts/policy/protocols/conn/community-id-logging.zeek b/testing/btest/scripts/policy/protocols/conn/community-id-logging.zeek new file mode 100644 index 0000000000..4dd18920d5 --- /dev/null +++ b/testing/btest/scripts/policy/protocols/conn/community-id-logging.zeek @@ -0,0 +1,5 @@ +# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT +# @TEST-EXEC: zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p proto service community_id < conn.log > conn.log.cut +# @TEST-EXEC: btest-diff conn.log.cut + +@load protocols/conn/community-id-logging