Merge remote-tracking branch 'origin/master' into topic/robin/dynamic-plugins-2.3

scripts/base/frameworks/logging/writers/ascii.bro

@@ -26,20 +26,20 @@ export {
 	## This option is also available as a per-filter ``$config`` option.
 	const use_json = F &redef;
 
-	## Format of timestamps when writing out JSON. By default, the JSON formatter will
-	## use double values for timestamps which represent the number of seconds from the
-	## UNIX epoch.
+	## Format of timestamps when writing out JSON. By default, the JSON
+	## formatter will use double values for timestamps which represent the
+	## number of seconds from the UNIX epoch.
 	const json_timestamps: JSON::TimestampFormat = JSON::TS_EPOCH &redef;
 
 	## If true, include lines with log meta information such as column names
 	## with types, the values of ASCII logging options that are in use, and
 	## the time when the file was opened and closed (the latter at the end).
-        ##
+	##
 	## If writing in JSON format, this is implicitly disabled.
 	const include_meta = T &redef;
 
 	## Prefix for lines with meta information.
-        ##
+	##
 	## This option is also available as a per-filter ``$config`` option.
 	const meta_prefix = "#" &redef;
 

scripts/base/frameworks/notice/main.bro

@@ -20,7 +20,8 @@ export {
 	## category along with the specific notice separating words with
 	## underscores and using leading capitals on each word except for
 	## abbreviations which are kept in all capitals.  For example,
-	## SSH::Login is for heuristically guessed successful SSH logins.
+	## SSH::Password_Guessing is for hosts that have crossed a threshold of
+	## heuristically determined failed SSH logins.
 	type Type: enum {
 		## Notice reporting a count of how often a notice occurred.
 		Tally,

scripts/base/frameworks/signatures/main.bro

@@ -71,7 +71,7 @@ export {
 		## to be logged has occurred.
 		ts:         time         &log;
 		## A unique identifier of the connection which triggered the
-		## signature match event
+		## signature match event.
 		uid:        string       &log &optional;
 		## The host which triggered the signature match event.
 		src_addr:   addr         &log &optional;

scripts/base/frameworks/sumstats/cluster.bro

@@ -28,10 +28,6 @@ export {
 	## values for a sumstat.
 	global cluster_ss_request: event(uid: string, ss_name: string, cleanup: bool);
 
-	# Event sent by nodes that are collecting sumstats after receiving a
-	# request for the sumstat from the manager.
-	#global cluster_ss_response: event(uid: string, ss_name: string, data: ResultTable, done: bool, cleanup: bool);
-
 	## This event is sent by the manager in a cluster to initiate the
 	## collection of a single key value from a sumstat.  It's typically used
 	## to get intermediate updates before the break interval triggers to
@@ -144,7 +140,7 @@ event SumStats::cluster_ss_request(uid: string, ss_name: string, cleanup: bool)
 	sending_results[uid] = (ss_name in result_store) ? result_store[ss_name] : table();
 
 	# Lookup the actual sumstats and reset it, the reference to the data
-	# currently stored will be maintained internally from the 
+	# currently stored will be maintained internally from the
 	# sending_results table.
 	if ( cleanup && ss_name in stats_store )
 		reset(stats_store[ss_name]);
@@ -159,7 +155,7 @@ event SumStats::cluster_get_result(uid: string, ss_name: string, key: Key, clean
 		if ( uid in sending_results && key in sending_results[uid] )
 			{
 			# Note: copy is needed to compensate serialization caching issue. This should be
-			# changed to something else later. 
+			# changed to something else later.
 			event SumStats::cluster_send_result(uid, ss_name, key, copy(sending_results[uid][key]), cleanup);
 			delete sending_results[uid][key];
 			}
@@ -170,12 +166,12 @@ event SumStats::cluster_get_result(uid: string, ss_name: string, key: Key, clean
 			event SumStats::cluster_send_result(uid, ss_name, key, table(), cleanup);
 			}
 		}
-	else 
+	else
 		{
 		if ( ss_name in result_store && key in result_store[ss_name] )
 			{
 			# Note: copy is needed to compensate serialization caching issue. This should be
-			# changed to something else later. 
+			# changed to something else later.
 			event SumStats::cluster_send_result(uid, ss_name, key, copy(result_store[ss_name][key]), cleanup);
 			}
 		else
@@ -195,6 +191,19 @@ event SumStats::cluster_threshold_crossed(ss_name: string, key: SumStats::Key, t
 	threshold_tracker[ss_name][key] = thold_index;
 	}
 
+# request-key is a non-op on the workers.
+# It only should be called by the manager. Due to the fact that we usually run the same scripts on the
+# workers and the manager, it might also be called by the workers, so we just ignore it here.
+#
+# There is a small chance that people will try running it on events that are just thrown on the workers.
+# This does not work at the moment and we cannot throw an error message, because we cannot distinguish it
+# from the "script is running it everywhere" case. But - people should notice that they do not get results.
+# Not entirely pretty, sorry :(
+function request_key(ss_name: string, key: Key): Result
+	{
+	return Result();
+	}
+
 @endif
 
 
@@ -215,7 +224,6 @@ global stats_keys: table[string] of set[Key] &read_expire=1min
 # matches the number of peer nodes that results should be coming from, the
 # result is written out and deleted from here.
 # Indexed on a uid.
-# TODO: add an &expire_func in case not all results are received.
 global done_with: table[string] of count &read_expire=1min &default=0;
 
 # This variable is maintained by managers to track intermediate responses as
@@ -414,7 +422,7 @@ event SumStats::cluster_send_result(uid: string, ss_name: string, key: Key, resu
 	# Mark that a worker is done.
 	if ( uid !in done_with )
 		done_with[uid] = 0;
-	
+
 	#print fmt("MANAGER: got a result for %s %s from %s", uid, key, get_event_peer()$descr);
 	++done_with[uid];
 

scripts/base/init-bare.bro

@@ -2819,7 +2819,7 @@ export {
 	## Result of an X509 certificate chain verification
 	type Result: record {
 		## OpenSSL result code
-		result:	count;
+		result:	int;
 		## Result as string
 		result_string: string;
 		## References to the final certificate chain, if verification successful. End-host certificate is first.
@@ -2836,6 +2836,24 @@ export {
 		name: string &optional;
 	} &log;
 }
+
+module RADIUS;
+
+export {
+	type RADIUS::AttributeList: vector of string;
+	type RADIUS::Attributes: table[count] of RADIUS::AttributeList;
+
+	type RADIUS::Message: record {
+		## The type of message (Access-Request, Access-Accept, etc.).
+		code          : count;
+		## The transaction ID.
+		trans_id      : count;
+		## The "authenticator" string.
+		authenticator : string;
+		## Any attributes.
+		attributes    : RADIUS::Attributes &optional;
+	};
+}
 module GLOBAL;
 
 @load base/bif/plugins/Bro_SNMP.types.bif

scripts/base/init-default.bro

@@ -47,6 +47,7 @@
 @load base/protocols/irc
 @load base/protocols/modbus
 @load base/protocols/pop3
+@load base/protocols/radius
 @load base/protocols/snmp
 @load base/protocols/smtp
 @load base/protocols/socks

scripts/base/protocols/radius/__load__.bro

@@ -0,0 +1 @@
+@load ./main

scripts/base/protocols/radius/consts.bro

@@ -0,0 +1,231 @@
+
+module RADIUS;
+
+const msg_types: table[count] of string = {
+	[1] = "Access-Request",
+	[2] = "Access-Accept",
+	[3] = "Access-Reject",
+	[4] = "Accounting-Request",
+	[5] = "Accounting-Response",
+	[11] = "Access-Challenge",
+	[12] = "Status-Server",
+	[13] = "Status-Client",
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const attr_types: table[count] of string = {
+	[1] = "User-Name",
+	[2] = "User-Password",
+	[3] = "CHAP-Password",
+	[4] = "NAS-IP-Address",
+	[5] = "NAS-Port",
+	[6] = "Service-Type",
+	[7] = "Framed-Protocol",
+	[8] = "Framed-IP-Address",
+	[9] = "Framed-IP-Netmask",
+	[10] = "Framed-Routing",
+	[11] = "Filter-Id",
+	[12] = "Framed-MTU",
+	[13] = "Framed-Compression",
+	[14] = "Login-IP-Host",
+	[15] = "Login-Service",
+	[16] = "Login-TCP-Port",
+	[18] = "Reply-Message",
+	[19] = "Callback-Number",
+	[20] = "Callback-Id",
+	[22] = "Framed-Route",
+	[23] = "Framed-IPX-Network",
+	[24] = "State",
+	[25] = "Class",
+	[26] = "Vendor-Specific",
+	[27] = "Session-Timeout",
+	[28] = "Idle-Timeout",
+	[29] = "Termination-Action",
+	[30] = "Called-Station-Id",
+	[31] = "Calling-Station-Id",
+	[32] = "NAS-Identifier",
+	[33] = "Proxy-State",
+	[34] = "Login-LAT-Service",
+	[35] = "Login-LAT-Node",
+	[36] = "Login-LAT-Group",
+	[37] = "Framed-AppleTalk-Link",
+	[38] = "Framed-AppleTalk-Network",
+	[39] = "Framed-AppleTalk-Zone",
+	[40] = "Acct-Status-Type",
+	[41] = "Acct-Delay-Time",
+	[42] = "Acct-Input-Octets",
+	[43] = "Acct-Output-Octets",
+	[44] = "Acct-Session-Id",
+	[45] = "Acct-Authentic",
+	[46] = "Acct-Session-Time",
+	[47] = "Acct-Input-Packets",
+	[48] = "Acct-Output-Packets",
+	[49] = "Acct-Terminate-Cause",
+	[50] = "Acct-Multi-Session-Id",
+	[51] = "Acct-Link-Count",
+	[52] = "Acct-Input-Gigawords",
+	[53] = "Acct-Output-Gigawords",
+	[55] = "Event-Timestamp",
+	[56] = "Egress-VLANID",
+	[57] = "Ingress-Filters",
+	[58] = "Egress-VLAN-Name",
+	[59] = "User-Priority-Table",
+	[60] = "CHAP-Challenge",
+	[61] = "NAS-Port-Type",
+	[62] = "Port-Limit",
+	[63] = "Login-LAT-Port",
+	[64] = "Tunnel-Type",
+	[65] = "Tunnel-Medium-Type",
+	[66] = "Tunnel-Client-EndPoint",
+	[67] = "Tunnel-Server-EndPoint",
+	[68] = "Acct-Tunnel-Connection",
+	[69] = "Tunnel-Password",
+	[70] = "ARAP-Password",
+	[71] = "ARAP-Features",
+	[72] = "ARAP-Zone-Access",
+	[73] = "ARAP-Security",
+	[74] = "ARAP-Security-Data",
+	[75] = "Password-Retry",
+	[76] = "Prompt",
+	[77] = "Connect-Info",
+	[78] = "Configuration-Token",
+	[79] = "EAP-Message",
+	[80] = "Message Authenticator",
+	[81] = "Tunnel-Private-Group-ID",
+	[82] = "Tunnel-Assignment-ID",
+	[83] = "Tunnel-Preference",
+	[84] = "ARAP-Challenge-Response",
+	[85] = "Acct-Interim-Interval",
+	[86] = "Acct-Tunnel-Packets-Lost",
+	[87] = "NAS-Port-Id",
+	[88] = "Framed-Pool",
+	[89] = "CUI",
+	[90] = "Tunnel-Client-Auth-ID",
+	[91] = "Tunnel-Server-Auth-ID",
+	[92] = "NAS-Filter-Rule",
+	[94] = "Originating-Line-Info",
+	[95] = "NAS-IPv6-Address",
+	[96] = "Framed-Interface-Id",
+	[97] = "Framed-IPv6-Prefix",
+	[98] = "Login-IPv6-Host",
+	[99] = "Framed-IPv6-Route",
+	[100] = "Framed-IPv6-Pool",
+	[101] = "Error-Cause",
+	[102] = "EAP-Key-Name",
+	[103] = "Digest-Response",
+	[104] = "Digest-Realm",
+	[105] = "Digest-Nonce",
+	[106] = "Digest-Response-Auth",
+	[107] = "Digest-Nextnonce",
+	[108] = "Digest-Method",
+	[109] = "Digest-URI",
+	[110] = "Digest-Qop",
+	[111] = "Digest-Algorithm",
+	[112] = "Digest-Entity-Body-Hash",
+	[113] = "Digest-CNonce",
+	[114] = "Digest-Nonce-Count",
+	[115] = "Digest-Username",
+	[116] = "Digest-Opaque",
+	[117] = "Digest-Auth-Param",
+	[118] = "Digest-AKA-Auts",
+	[119] = "Digest-Domain",
+	[120] = "Digest-Stale",
+	[121] = "Digest-HA1",
+	[122] = "SIP-AOR",
+	[123] = "Delegated-IPv6-Prefix",
+	[124] = "MIP6-Feature-Vector",
+	[125] = "MIP6-Home-Link-Prefix",
+	[126] = "Operator-Name",
+	[127] = "Location-Information",
+	[128] = "Location-Data",
+	[129] = "Basic-Location-Policy-Rules",
+	[130] = "Extended-Location-Policy-Rules",
+	[131] = "Location-Capable",
+	[132] = "Requested-Location-Info",
+	[133] = "Framed-Management-Protocol",
+	[134] = "Management-Transport-Protection",
+	[135] = "Management-Policy-Id",
+	[136] = "Management-Privilege-Level",
+	[137] = "PKM-SS-Cert",
+	[138] = "PKM-CA-Cert",
+	[139] = "PKM-Config-Settings",
+	[140] = "PKM-Cryptosuite-List",
+	[141] = "PKM-SAID",
+	[142] = "PKM-SA-Descriptor",
+	[143] = "PKM-Auth-Key",
+	[144] = "DS-Lite-Tunnel-Name",
+	[145] = "Mobile-Node-Identifier",
+	[146] = "Service-Selection",
+	[147] = "PMIP6-Home-LMA-IPv6-Address",
+	[148] = "PMIP6-Visited-LMA-IPv6-Address",
+	[149] = "PMIP6-Home-LMA-IPv4-Address",
+	[150] = "PMIP6-Visited-LMA-IPv4-Address",
+	[151] = "PMIP6-Home-HN-Prefix",
+	[152] = "PMIP6-Visited-HN-Prefix",
+	[153] = "PMIP6-Home-Interface-ID",
+	[154] = "PMIP6-Visited-Interface-ID",
+	[155] = "PMIP6-Home-IPv4-HoA",
+	[156] = "PMIP6-Visited-IPv4-HoA",
+	[157] = "PMIP6-Home-DHCP4-Server-Address",
+	[158] = "PMIP6-Visited-DHCP4-Server-Address",
+	[159] = "PMIP6-Home-DHCP6-Server-Address",
+	[160] = "PMIP6-Visited-DHCP6-Server-Address",
+	[161] = "PMIP6-Home-IPv4-Gateway",
+	[162] = "PMIP6-Visited-IPv4-Gateway",
+	[163] = "EAP-Lower-Layer",
+	[164] = "GSS-Acceptor-Service-Name",
+	[165] = "GSS-Acceptor-Host-Name",
+	[166] = "GSS-Acceptor-Service-Specifics",
+	[167] = "GSS-Acceptor-Realm-Name",
+	[168] = "Framed-IPv6-Address",
+	[169] = "DNS-Server-IPv6-Address",
+	[170] = "Route-IPv6-Information",
+	[171] = "Delegated-IPv6-Prefix-Pool",
+	[172] = "Stateful-IPv6-Address-Pool",
+	[173] = "IPv6-6rd-Configuration"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const nas_port_types: table[count] of string = {
+	[0] = "Async",
+	[1] = "Sync",
+	[2] = "ISDN Sync",
+	[3] = "ISDN Async V.120",
+	[4] = "ISDN Async V.110",
+	[5] = "Virtual",
+	[6] = "PIAFS",
+	[7] = "HDLC Clear Channel",
+	[8] = "X.25",
+	[9] = "X.75",
+	[10] = "G.3 Fax",
+	[11] = "SDSL - Symmetric DSL",
+	[12] = "ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation",
+	[13] = "ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone",
+	[14] = "IDSL - ISDN Digital Subscriber Line",
+	[15] = "Ethernet",
+	[16] = "xDSL - Digital Subscriber Line of unknown type",
+	[17] = "Cable",
+	[18] = "Wireless - Other",
+	[19] = "Wireless - IEEE 802.11"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const service_types: table[count] of string = {
+	[1] = "Login",
+	[2] = "Framed",
+	[3] = "Callback Login",
+	[4] = "Callback Framed",
+	[5] = "Outbound",
+	[6] = "Administrative",
+	[7] = "NAS Prompt",
+	[8] = "Authenticate Only",
+	[9] = "Callback NAS Prompt",
+	[10] = "Call Check",
+	[11] = "Callback Administrative",
+} &default=function(i: count): string { return fmt("unknown-%d", i); };
+
+const framed_protocol_types: table[count] of string = {
+	[1] = "PPP",
+	[2] = "SLIP",
+	[3] = "AppleTalk Remote Access Protocol (ARAP)",
+	[4] = "Gandalf proprietary SingleLink/MultiLink protocol",
+	[5] = "Xylogics proprietary IPX/SLIP",
+	[6] = "X.75 Synchronous"
+} &default=function(i: count): string { return fmt("unknown-%d", i); };

scripts/base/protocols/radius/main.bro

@@ -0,0 +1,126 @@
+##! Implements base functionality for RADIUS analysis. Generates the radius.log file.
+
+module RADIUS;
+
+@load ./consts.bro
+@load base/utils/addrs
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts		: time    &log;
+		## Unique ID for the connection.
+		uid		: string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id		: conn_id &log;
+		## The username, if present.
+		username	: string &log &optional;
+		## MAC address, if present.
+		mac		: string &log &optional;
+		## Remote IP address, if present.
+		remote_ip       : addr &log &optional;
+		## Connect info, if present.
+		connect_info	: string &log &optional;
+		## Successful or failed authentication.
+		result		: string &log &optional;
+		## Whether this has already been logged and can be ignored.
+		logged		: bool &optional;
+
+	};
+
+	## The amount of time we wait for an authentication response before
+	## expiring it.
+	const expiration_interval = 10secs &redef;
+
+	## Logs an authentication attempt if we didn't see a response in time.
+	##
+	## t: A table of Info records.
+	##
+	## idx: The index of the connection$radius table corresponding to the
+	##      radius authentication about to expire.
+	##
+	## Returns: 0secs, which when this function is used as an
+	##          :bro:attr:`&expire_func`, indicates to remove the element at
+	##          *idx* immediately.
+	global expire: function(t: table[count] of Info, idx: count): interval;
+
+	## Event that can be handled to access the RADIUS record as it is sent on
+	## to the loggin framework.
+	global log_radius: event(rec: Info);
+}
+
+redef record connection += {
+	radius: table[count] of Info &optional &write_expire=expiration_interval &expire_func=expire;
+};
+
+const ports = { 1812/udp };
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(RADIUS::LOG, [$columns=Info, $ev=log_radius]);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_RADIUS, ports);
+	}
+
+event radius_message(c: connection, result: RADIUS::Message)
+	{
+	local info: Info;
+
+	if ( c?$radius && result$trans_id in c$radius )
+		info = c$radius[result$trans_id];
+	else
+		{
+		c$radius = table();
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+		}
+
+	switch ( RADIUS::msg_types[result$code] ) {
+		case "Access-Request":
+			if ( result?$attributes ) {
+				# User-Name
+				if ( ! info?$username && 1 in result$attributes )
+					info$username = result$attributes[1][0];
+
+				# Calling-Station-Id (we expect this to be a MAC)
+				if ( ! info?$mac && 31 in result$attributes )
+					info$mac = normalize_mac(result$attributes[31][0]);
+
+				# Tunnel-Client-EndPoint (useful for VPNs)
+				if ( ! info?$remote_ip && 66 in result$attributes )
+					info$remote_ip = to_addr(result$attributes[66][0]);
+
+				# Connect-Info
+				if ( ! info?$connect_info && 77 in result$attributes )
+					info$connect_info = result$attributes[77][0];
+			}
+
+			break;
+
+		case "Access-Accept":
+			info$result = "success";
+			break;
+
+		case "Access-Reject":
+			info$result = "failed";
+			break;
+	}
+
+	if ( info?$result && ! info?$logged )
+		{
+		info$logged = T;
+		Log::write(RADIUS::LOG, info);
+		}
+
+	c$radius[result$trans_id] = info;
+	}
+
+
+function expire(t: table[count] of Info, idx: count): interval
+	 {
+	 t[idx]$result = "unknown";
+	 Log::write(RADIUS::LOG, t[idx]);
+	 return 0secs;
+	 }

scripts/base/protocols/smtp/files.bro

@@ -41,13 +41,13 @@ function describe_file(f: fa_file): string
 
 event bro_init() &priority=5
 	{
-	Files::register_protocol(Analyzer::ANALYZER_SMTP, 
+	Files::register_protocol(Analyzer::ANALYZER_SMTP,
 	                         [$get_file_handle = SMTP::get_file_handle,
 	                          $describe        = SMTP::describe_file]);
 	}
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( c?$smtp )
+	if ( c?$smtp && !c$smtp$tls )
 		c$smtp$fuids[|c$smtp$fuids|] = f$id;
 	}

scripts/base/protocols/smtp/main.bro

@@ -49,38 +49,40 @@ export {
 		path:              vector of addr  &log &optional;
 		## Value of the User-Agent header from the client.
 		user_agent:        string          &log &optional;
-		
+
+		## Indicates that the connection has switched to using TLS.
+		tls:               bool            &log &default=F;
 		## Indicates if the "Received: from" headers should still be
 		## processed.
 		process_received_from: bool        &default=T;
 		## Indicates if client activity has been seen, but not yet logged.
 		has_client_activity:  bool            &default=F;
 	};
-	
+
 	type State: record {
 		helo:                     string    &optional;
 		## Count the number of individual messages transmitted during
 		## this SMTP session.  Note, this is not the number of
 		## recipients, but the number of message bodies transferred.
 		messages_transferred:     count     &default=0;
-		
+
 		pending_messages:         set[Info] &optional;
 	};
-	
+
 	## Direction to capture the full "Received from" path.
 	##    REMOTE_HOSTS - only capture the path until an internal host is found.
 	##    LOCAL_HOSTS - only capture the path until the external host is discovered.
 	##    ALL_HOSTS - always capture the entire path.
 	##    NO_HOSTS - never capture the path.
 	const mail_path_capture = ALL_HOSTS &redef;
-	
+
 	## Create an extremely shortened representation of a log line.
 	global describe: function(rec: Info): string;
 
 	global log_smtp: event(rec: Info);
 }
 
-redef record connection += { 
+redef record connection += {
 	smtp:       Info  &optional;
 	smtp_state: State &optional;
 };
@@ -93,7 +95,7 @@ event bro_init() &priority=5
 	Log::create_stream(SMTP::LOG, [$columns=SMTP::Info, $ev=log_smtp]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SMTP, ports);
 	}
-	
+
 function find_address_in_smtp_header(header: string): string
 {
 	local ips = find_ip_addresses(header);
@@ -114,17 +116,17 @@ function new_smtp_log(c: connection): Info
 	l$ts=network_time();
 	l$uid=c$uid;
 	l$id=c$id;
-	# The messages_transferred count isn't incremented until the message is 
+	# The messages_transferred count isn't incremented until the message is
 	# finished so we need to increment the count by 1 here.
 	l$trans_depth = c$smtp_state$messages_transferred+1;
-	
+
 	if ( c$smtp_state?$helo )
 		l$helo = c$smtp_state$helo;
-	
+
 	# The path will always end with the hosts involved in this connection.
 	# The lower values in the vector are the end of the path.
 	l$path = vector(c$id$resp_h, c$id$orig_h);
-	
+
 	return l;
 	}
 
@@ -132,7 +134,7 @@ function set_smtp_session(c: connection)
 	{
 	if ( ! c?$smtp_state )
 		c$smtp_state = [];
-	
+
 	if ( ! c?$smtp )
 		c$smtp = new_smtp_log(c);
 	}
@@ -140,17 +142,17 @@ function set_smtp_session(c: connection)
 function smtp_message(c: connection)
 	{
 	if ( c$smtp$has_client_activity )
+		{
 		Log::write(SMTP::LOG, c$smtp);
+		c$smtp = new_smtp_log(c);
+		}
 	}
-	
+
 event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &priority=5
 	{
 	set_smtp_session(c);
 	local upper_command = to_upper(command);
 
-	if ( upper_command != "QUIT" )
-		c$smtp$has_client_activity = T;
-	
 	if ( upper_command == "HELO" || upper_command == "EHLO" )
 		{
 		c$smtp_state$helo = arg;
@@ -159,23 +161,28 @@ event smtp_request(c: connection, is_orig: bool, command: string, arg: string) &
 
 	else if ( upper_command == "RCPT" && /^[tT][oO]:/ in arg )
 		{
-		if ( ! c$smtp?$rcptto ) 
+		if ( ! c$smtp?$rcptto )
 			c$smtp$rcptto = set();
 		add c$smtp$rcptto[split1(arg, /:[[:blank:]]*/)[2]];
+		c$smtp$has_client_activity = T;
 		}
 
 	else if ( upper_command == "MAIL" && /^[fF][rR][oO][mM]:/ in arg )
 		{
+		# Flush last message in case we didn't see the server's acknowledgement.
+		smtp_message(c);
+
 		local partially_done = split1(arg, /:[[:blank:]]*/)[2];
 		c$smtp$mailfrom = split1(partially_done, /[[:blank:]]?/)[1];
+		c$smtp$has_client_activity = T;
 		}
 	}
-	
+
 event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
                  msg: string, cont_resp: bool) &priority=5
 	{
 	set_smtp_session(c);
-	
+
 	# This continually overwrites, but we want the last reply,
 	# so this actually works fine.
 	c$smtp$last_reply = fmt("%d %s", code, msg);
@@ -196,7 +203,6 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
 event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 	{
 	if ( ! c?$smtp ) return;
-	c$smtp$has_client_activity = T;
 
 	if ( h$name == "MESSAGE-ID" )
 		c$smtp$msg_id = h$value;
@@ -239,19 +245,19 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		if ( 1 in addresses )
 			c$smtp$x_originating_ip = to_addr(addresses[1]);
 		}
-	
+
 	else if ( h$name == "X-MAILER" ||
 	          h$name == "USER-AGENT" ||
 	          h$name == "X-USER-AGENT" )
 		c$smtp$user_agent = h$value;
 	}
-	
-# This event handler builds the "Received From" path by reading the 
+
+# This event handler builds the "Received From" path by reading the
 # headers in the mail
 event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 	{
 	# If we've decided that we're done watching the received headers for
-	# whatever reason, we're done.  Could be due to only watching until 
+	# whatever reason, we're done.  Could be due to only watching until
 	# local addresses are seen in the received from headers.
 	if ( ! c?$smtp || h$name != "RECEIVED" || ! c$smtp$process_received_from )
 		return;
@@ -261,7 +267,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		return;
 	local ip = to_addr(text_ip);
 
-	if ( ! addr_matches_host(ip, mail_path_capture) && 
+	if ( ! addr_matches_host(ip, mail_path_capture) &&
 	     ! Site::is_private_addr(ip) )
 		{
 		c$smtp$process_received_from = F;
@@ -276,6 +282,15 @@ event connection_state_remove(c: connection) &priority=-5
 		smtp_message(c);
 	}
 
+event smtp_starttls(c: connection) &priority=5
+	{
+	if ( c?$smtp )
+		{
+		c$smtp$tls = T;
+		c$smtp$has_client_activity = T;
+		}
+	}
+
 function describe(rec: Info): string
 	{
 	if ( rec?$mailfrom && rec?$rcptto )

scripts/base/protocols/ssl/consts.bro

@@ -15,6 +15,32 @@ export {
 		[TLSv12] = "TLSv12",
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
+	## TLS content types:
+	const CHANGE_CIPHER_SPEC = 20;
+	const ALERT = 21;
+	const HANDSHAKE = 22;
+	const APPLICATION_DATA = 23;
+	const HEARTBEAT = 24;
+	const V2_ERROR = 300;
+	const V2_CLIENT_HELLO = 301;
+	const V2_CLIENT_MASTER_KEY = 302;
+	const V2_SERVER_HELLO = 304;
+
+	## TLS Handshake types:
+	const HELLO_REQUEST       = 0;
+	const CLIENT_HELLO        = 1;
+	const SERVER_HELLO        = 2;
+	const SESSION_TICKET      = 4; # RFC 5077
+	const CERTIFICATE         = 11;
+	const SERVER_KEY_EXCHANGE = 12;
+	const CERTIFICATE_REQUEST = 13;
+	const SERVER_HELLO_DONE   = 14;
+	const CERTIFICATE_VERIFY  = 15;
+	const CLIENT_KEY_EXCHANGE = 16;
+	const FINISHED            = 20;
+	const CERTIFICATE_URL     = 21; # RFC 3546
+	const CERTIFICATE_STATUS  = 22; # RFC 3546
+
 	## Mapping between numeric codes and human readable strings for alert
 	## levels.
 	const alert_levels: table[count] of string = {
@@ -83,6 +109,10 @@ export {
 		[16] = "application_layer_protocol_negotiation",
 		[17] = "status_request_v2",
 		[18] = "signed_certificate_timestamp",
+		[19] = "client_certificate_type",
+		[20] = "server_certificate_type",
+		[21] = "padding", # temporary till 2015-03-12
+		[22] = "encrypt_then_mac", # temporary till 2015-06-05
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",

scripts/base/protocols/ssl/files.bro

@@ -121,13 +121,15 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 event ssl_established(c: connection) &priority=6
 	{
 	# update subject and issuer information
-	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 )
+	if ( c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 &&
+	     c$ssl$cert_chain[0]?$x509 )
 		{
 		c$ssl$subject = c$ssl$cert_chain[0]$x509$certificate$subject;
 		c$ssl$issuer = c$ssl$cert_chain[0]$x509$certificate$issuer;
 		}
 
-	if ( c$ssl?$client_cert_chain && |c$ssl$client_cert_chain| > 0 )
+	if ( c$ssl?$client_cert_chain && |c$ssl$client_cert_chain| > 0 &&
+	     c$ssl$client_cert_chain[0]?$x509 )
 		{
 		c$ssl$client_subject = c$ssl$client_cert_chain[0]$x509$certificate$subject;
 		c$ssl$client_issuer = c$ssl$client_cert_chain[0]$x509$certificate$issuer;

scripts/base/utils/addrs.bro

@@ -1,4 +1,4 @@
-##! Functions for parsing and manipulating IP addresses.
+##! Functions for parsing and manipulating IP and MAC addresses.
 
 # Regular expressions for matching IP addresses in strings.
 const ipv4_addr_regex = /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/;
@@ -14,13 +14,13 @@ const ipv6_compressed_hex4dec_regex = /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)
 #                        ipv6_compressed_hex4dec_regex;
 #const ip_addr_regex = ipv4_addr_regex | ipv6_addr_regex;
 
-const ipv6_addr_regex =     
+const ipv6_addr_regex =
     /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/ |
     /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/ | # IPv6 Compressed Hex
     /(([0-9A-Fa-f]{1,4}:){6,6})([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/ | # 6Hex4Dec
     /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}:)*)([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/; # CompressedHex4Dec
 
-const ip_addr_regex = 
+const ip_addr_regex =
     /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/ |
     /([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}/ |
     /(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)::(([0-9A-Fa-f]{1,4}(:[0-9A-Fa-f]{1,4})*)?)/ | # IPv6 Compressed Hex
@@ -57,7 +57,7 @@ function is_valid_ip(ip_str: string): bool
 		octets = split(ip_str, /\./);
 		if ( |octets| != 4 )
 			return F;
-		
+
 		return has_valid_octets(octets);
 		}
 	else if ( ip_str == ipv6_addr_regex )
@@ -119,3 +119,30 @@ function addr_to_uri(a: addr): string
 	else
 		return fmt("[%s]", a);
 	}
+
+## Given a string, extracts the hex digits and returns a MAC address in
+## the format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex
+## digits, an empty string is returned.
+##
+## a: the string to normalize.
+##
+## Returns: a normalized MAC address, or an empty string in the case of an error.
+function normalize_mac(a: string): string
+	{
+	local result = to_lower(gsub(a, /[^A-Fa-f0-9]/, ""));
+	local octets: string_vec;
+
+	if ( |result| == 12 )
+		{
+		octets = str_split(result, vector(2, 4, 6, 8, 10));
+		return fmt("%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6]);
+		}
+
+	if ( |result| == 16 )
+		{
+		octets = str_split(result, vector(2, 4, 6, 8, 10, 12, 14));
+		return fmt("%s:%s:%s:%s:%s:%s:%s:%s", octets[1], octets[2], octets[3], octets[4], octets[5], octets[6], octets[7], octets[8]);
+		}
+
+	return "";
+	}