From b765c95d6ede28ca88864791f71d2dfd7e9a9647 Mon Sep 17 00:00:00 2001
From: Jan Grashoefer <jan.grashofer@cern.ch>
Date: Fri, 24 Jul 2015 13:58:21 +0200
Subject: [PATCH] Updated detection of Flash and AdobeAIR.

---
 scripts/base/frameworks/software/main.bro     |  7 ++++
 .../http/software-browser-plugins.bro         | 36 ++++++++++++++++---
 2 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/scripts/base/frameworks/software/main.bro b/scripts/base/frameworks/software/main.bro
index bcb791b4f4..0c1c4cd302 100644
--- a/scripts/base/frameworks/software/main.bro
+++ b/scripts/base/frameworks/software/main.bro
@@ -280,6 +280,13 @@ function parse_mozilla(unparsed_version: string): Description
 				v = parse(parts[1])$version;
 			}
 		}
+	else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
+		{
+		software_name = "AdobeAIR";
+		parts = split_string_all(unparsed_version, /AdobeAIR\/[0-9\.]*/);
+		if ( 1 in parts )
+			v = parse(parts[1])$version;
+		}
 	else if ( /AppleWebKit\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "Unspecified WebKit";
diff --git a/scripts/policy/protocols/http/software-browser-plugins.bro b/scripts/policy/protocols/http/software-browser-plugins.bro
index ab4bb93b15..3583f7e9e9 100644
--- a/scripts/policy/protocols/http/software-browser-plugins.bro
+++ b/scripts/policy/protocols/http/software-browser-plugins.bro
@@ -10,6 +10,8 @@ export {
 	redef record Info += {
 		## Indicates if the server is an omniture advertising server.
 		omniture: bool &default=F;
+		## The unparsed Flash version, if detected.
+		flash_version: string &optional;
 	};
 	
 	redef enum Software::Type += {
@@ -22,12 +24,19 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 	{
 	if ( is_orig )
 		{
-		if ( name == "X-FLASH-VERSION" )
+		switch ( name )	
 			{
-			# Flash doesn't include it's name so we'll add it here since it 
-			# simplifies the version parsing.
-			value = cat("Flash/", value);
-			Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
+			case "X-FLASH-VERSION":
+				# Flash doesn't include it's name so we'll add it here since it 
+				# simplifies the version parsing.
+				c$http$flash_version = cat("Flash/", value);
+				break;
+			case "X-REQUESTED-WITH":
+				# This header is usually used to indicate AJAX requests (XMLHttpRequest),
+				# but Chrome uses this header also to indicate the use of Flash.
+				if ( /Flash/ in value )
+					c$http$flash_version = value;
+				break;
 			}
 		}
 	else
@@ -38,6 +47,23 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 		}
 	}
 
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+	{
+	# If a Flash was detected, it has to be logged considering the user agent.
+	if ( is_orig && c$http?$flash_version )
+		{
+		# AdobeAIR contains a seperate Flash, which should be emphasized.
+		# Note: We assume that the user agent header was not reset by the app.
+		if( c$http?$user_agent )
+			{
+			if ( /AdobeAIR/ in c$http$user_agent )
+				c$http$flash_version = cat("AdobeAIR-", c$http$flash_version);
+			}
+
+		Software::found(c$id, [$unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
+		}
+	}
+
 event log_http(rec: Info)
 	{
 	# We only want to inspect requests that were sent to omniture advertising