Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 17:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/topic/jsiwek/bit-1343'

Browse source 
* origin/topic/jsiwek/bit-1343:
  BIT-1343: factor common ASN.1 code from RDP and SNMP analyzer.

BIT-1343 #merged
This commit is contained in:
Robin Sommer 2015-04-21 13:46:26 -07:00
commit cb767b9336
4 changed files with 71 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

2
aux/binpac

@ -1 +1 @@
Subproject commit 544330932e7cd4615d6d19f63907e8aa2acebb9e Subproject commit a1dddbb780bc45e1fb2ec3d7f11bec7a512c070d

62
src/analyzer/protocol/asn1/asn1.pac Normal file
View file

@ -0,0 +1,62 @@
############################## ASN.1 Encodings
enum ASN1TypeTag {
ASN1_INTEGER_TAG = 0x02,
ASN1_OCTET_STRING_TAG = 0x04,
ASN1_NULL_TAG = 0x05,
ASN1_OBJECT_IDENTIFIER_TAG = 0x06,
ASN1_SEQUENCE_TAG = 0x30,
};
type ASN1Encoding = record {
meta: ASN1EncodingMeta;
content: bytestring &length = meta.length;
};
type ASN1EncodingMeta = record {
tag: uint8;
len: uint8;
more_len: bytestring &length = long_len ? len & 0x7f : 0;
} &let {
long_len: bool = len & 0x80;
length: uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f;
};
type ASN1SequenceMeta = record {
encoding: ASN1EncodingMeta;
};
type ASN1Integer = record {
encoding: ASN1Encoding;
};
type ASN1OctetString = record {
encoding: ASN1Encoding;
};
type ASN1ObjectIdentifier = record {
encoding: ASN1Encoding;
};
type ASN1Boolean = record {
encoding: ASN1Encoding;
};
type ASN1Enumerated = record {
encoding: ASN1Encoding;
};
############################## ASN.1 Conversion Functions
function binary_to_int64(bs: bytestring): int64
%{
int64 rval = 0;
for ( int i = 0; i < bs.length(); ++i )
{
uint64 byte = bs[i];
rval |= byte << (8 * (bs.length() - (i + 1)));
}
return rval;
%}

69
src/analyzer/protocol/rdp/rdp-protocol.pac
View file

@ -1,3 +1,4 @@
%include ../asn1/asn1.pac
type TPKT(is_orig: bool) = record { type TPKT(is_orig: bool) = record {
version: uint8; version: uint8;
@ -5,7 +6,7 @@ type TPKT(is_orig: bool) = record {
tpkt_len: uint16; tpkt_len: uint16;
# These data structures are merged together into TPKT # These data structures are merged together into TPKT
# because there are packets that report incorrect # because there are packets that report incorrect
# lengths in the tpkt length field. No clue why. # lengths in the tpkt length field. No clue why.
cotp: COTP(this); cotp: COTP(this);
@ -129,7 +130,7 @@ type RDP_Negotiation_Response = record {
length: uint16; # must be set to 8 length: uint16; # must be set to 8
selected_protocol: uint32; selected_protocol: uint32;
} &let { } &let {
# Seems to be SSL encrypted (maybe CredSSP also?) # Seems to be SSL encrypted (maybe CredSSP also?)
# after this message if the selected_protocol is > 0. # after this message if the selected_protocol is > 0.
enc_ssl: bool = $context.connection.go_encrypted(selected_protocol) &if(selected_protocol > 0); enc_ssl: bool = $context.connection.go_encrypted(selected_protocol) &if(selected_protocol > 0);
} &byteorder=littleendian; } &byteorder=littleendian;
@ -204,7 +205,7 @@ type Client_Core_Data = record {
supported_color_depths: uint16; supported_color_depths: uint16;
early_capability_flags: uint16; early_capability_flags: uint16;
dig_product_id: bytestring &length=64; dig_product_id: bytestring &length=64;
# There are more optional fields here but they are # There are more optional fields here but they are
# annoying to optionally parse in binpac. # annoying to optionally parse in binpac.
# Documented here: https://msdn.microsoft.com/en-us/library/cc240510.aspx # Documented here: https://msdn.microsoft.com/en-us/library/cc240510.aspx
} &let { } &let {
@ -280,7 +281,7 @@ type Server_Security_Data = record {
server_random: bytestring &length=server_random_length; server_random: bytestring &length=server_random_length;
server_certificate: Server_Certificate &length=server_cert_length; server_certificate: Server_Certificate &length=server_cert_length;
} &let { } &let {
# Seems to be encrypted after this message if # Seems to be encrypted after this message if
# encryption level is >0 # encryption level is >0
# 0 means RDP encryption. # 0 means RDP encryption.
enc: bool = $context.connection.go_encrypted(0) &if(encryption_method > 0 && encryption_level > 0); enc: bool = $context.connection.go_encrypted(0) &if(encryption_method > 0 && encryption_level > 0);
@ -326,64 +327,6 @@ type X509_Cert_Data = record {
cert: bytestring &length=cert_len; cert: bytestring &length=cert_len;
} &byteorder=littleendian; } &byteorder=littleendian;
######################################################################
# ASN.1 Encodings
######################################################################
type ASN1Encoding = record {
meta: ASN1EncodingMeta;
content: bytestring &length = meta.length;
};
type ASN1EncodingMeta = record {
tag: uint8;
len: uint8;
more_len: bytestring &length = long_len ? len & 0x7f : 0;
} &let {
long_len: bool = (len & 0x80) > 0;
length: uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f;
};
type ASN1SequenceMeta = record {
encoding: ASN1EncodingMeta;
};
type ASN1Integer = record {
encoding: ASN1Encoding;
};
type ASN1OctetString = record {
encoding: ASN1Encoding;
};
type ASN1ObjectIdentifier = record {
encoding: ASN1Encoding;
};
type ASN1Boolean = record {
encoding: ASN1Encoding;
};
type ASN1Enumerated = record {
encoding: ASN1Encoding;
};
######################################################################
# ASN.1 Conversion Functions
######################################################################
function binary_to_int64(bs: bytestring): int64
%{
int64 rval = 0;
for ( int i = 0; i < bs.length(); ++i )
{
uint64 byte = bs[i];
rval |= byte << (8 * (bs.length() - (i + 1)));
}
return rval;
%}
refine connection RDP_Conn += { refine connection RDP_Conn += {
%member{ %member{
@ -420,4 +363,4 @@ refine connection RDP_Conn += {
%{ %{
return encryption_method_; return encryption_method_;
%} %}
}; };

57
src/analyzer/protocol/snmp/snmp-protocol.pac
View file

@ -8,6 +8,8 @@
# used. Primitive or non-constructor encodings are preferred over # used. Primitive or non-constructor encodings are preferred over
# constructor encodings. # constructor encodings.
%include ../asn1/asn1.pac
type TopLevelMessage(is_orig: bool) = record { type TopLevelMessage(is_orig: bool) = record {
asn1_sequence_meta: ASN1SequenceMeta; asn1_sequence_meta: ASN1SequenceMeta;
version: ASN1Integer; version: ASN1Integer;
@ -215,58 +217,3 @@ enum VarBindNullTag {
VARBIND_NOSUCHINSTANCE_TAG = 0x81, VARBIND_NOSUCHINSTANCE_TAG = 0x81,
VARBIND_ENDOFMIBVIEW_TAG = 0x82, VARBIND_ENDOFMIBVIEW_TAG = 0x82,
}; };
############################## ASN.1 Encodings
enum ASN1TypeTag {
ASN1_INTEGER_TAG = 0x02,
ASN1_OCTET_STRING_TAG = 0x04,
ASN1_NULL_TAG = 0x05,
ASN1_OBJECT_IDENTIFIER_TAG = 0x06,
ASN1_SEQUENCE_TAG = 0x30,
};
type ASN1Encoding = record {
meta: ASN1EncodingMeta;
content: bytestring &length = meta.length;
};
type ASN1EncodingMeta = record {
tag: uint8;
len: uint8;
more_len: bytestring &length = long_len ? len & 0x7f : 0;
} &let {
long_len: bool = len & 0x80;
length: uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f;
};
type ASN1SequenceMeta = record {
encoding: ASN1EncodingMeta;
};
type ASN1Integer = record {
encoding: ASN1Encoding;
};
type ASN1OctetString = record {
encoding: ASN1Encoding;
};
type ASN1ObjectIdentifier = record {
encoding: ASN1Encoding;
};
############################## ASN.1 Conversion Functions
function binary_to_int64(bs: bytestring): int64
%{
int64 rval = 0;
for ( int i = 0; i < bs.length(); ++i )
{
uint64 byte = bs[i];
rval |= byte << (8 * (bs.length() - (i + 1)));
}
return rval;
%}