Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek

Browse source 
* 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek:
  coalesce smtp handlers for ADDR
  Add fine-grained groups for Intel events
This commit is contained in:
Arne Welzel 2025-04-29 15:00:44 +02:00
commit d5e1dc27c6
13 changed files with 106 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,3 +1,9 @@
8.0.0-dev.10 | 2025-04-29 15:00:44 +0200
* coalesce smtp handlers for ADDR (Mohan Dhawan, Corelight)
* Add fine-grained groups for Intel events (Mohan Dhawan, Corelight)
8.0.0-dev.7 | 2025-04-28 19:41:01 +0200 8.0.0-dev.7 | 2025-04-28 19:41:01 +0200
* broker/WebSocketShim: Check RegisterFd() return (Arne Welzel, Corelight) * broker/WebSocketShim: Check RegisterFd() return (Arne Welzel, Corelight)

2
VERSION
View file

@ -1 +1 @@
8.0.0-dev.7 8.0.0-dev.10

2
scripts/policy/frameworks/intel/seen/dns.zeek
View file

@ -1,7 +1,7 @@
@load base/frameworks/intel @load base/frameworks/intel
@load ./where-locations @load ./where-locations
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &group="Intel::DOMAIN"
{ {
Intel::seen([$indicator=query, Intel::seen([$indicator=query,
$indicator_type=Intel::DOMAIN, $indicator_type=Intel::DOMAIN,

2
scripts/policy/frameworks/intel/seen/file-hashes.zeek
View file

@ -1,7 +1,7 @@
@load base/frameworks/intel @load base/frameworks/intel
@load ./where-locations @load ./where-locations
event file_hash(f: fa_file, kind: string, hash: string) event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::FILE_HASH"
{ {
local seen = Intel::Seen($indicator=hash, local seen = Intel::Seen($indicator=hash,
$indicator_type=Intel::FILE_HASH, $indicator_type=Intel::FILE_HASH,

4
scripts/policy/frameworks/intel/seen/file-names.zeek
View file

@ -1,7 +1,7 @@
@load base/frameworks/intel @load base/frameworks/intel
@load ./where-locations @load ./where-locations
event file_new(f: fa_file) event file_new(f: fa_file) &group="Intel::FILE_NAME"
{ {
# If there are connections attached, we'll be using # If there are connections attached, we'll be using
# file_over_new_connection() for reporting the # file_over_new_connection() for reporting the
@ -16,7 +16,7 @@ event file_new(f: fa_file)
$where=Files::IN_NAME]); $where=Files::IN_NAME]);
} }
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 &group="Intel::FILE_NAME"
{ {
# Skip SMB, there's a custom implementation in smb-filenames.zeek # Skip SMB, there's a custom implementation in smb-filenames.zeek
if ( f$source == "SMB" ) if ( f$source == "SMB" )

56
scripts/policy/frameworks/intel/seen/http-headers.zeek
View file

@ -2,10 +2,11 @@
@load ./where-locations @load ./where-locations
@load base/utils/addrs @load base/utils/addrs
event http_header(c: connection, is_orig: bool, name: string, value: string) event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::ADDR"
{
if ( is_orig )
{ {
if ( ! is_orig )
return;
switch ( name ) switch ( name )
{ {
case "HOST": case "HOST":
@ -16,18 +17,6 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
$indicator_type=Intel::ADDR, $indicator_type=Intel::ADDR,
$conn=c, $conn=c,
$where=HTTP::IN_HOST_HEADER]); $where=HTTP::IN_HOST_HEADER]);
else
Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
break;
case "REFERER":
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER]);
break; break;
case "X-FORWARDED-FOR": case "X-FORWARDED-FOR":
@ -43,13 +32,42 @@ event http_header(c: connection, is_orig: bool, name: string, value: string)
} }
} }
break; break;
}
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN"
{
if ( ! is_orig || name != "HOST" )
return;
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( ! is_valid_ip(host) )
Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL"
{
if ( ! is_orig || name != "REFERER" )
return;
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER]);
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE"
{
if ( ! is_orig || name != "USER-AGENT" )
return;
case "USER-AGENT":
Intel::seen([$indicator=value, Intel::seen([$indicator=value,
$indicator_type=Intel::SOFTWARE, $indicator_type=Intel::SOFTWARE,
$conn=c, $conn=c,
$where=HTTP::IN_USER_AGENT_HEADER]); $where=HTTP::IN_USER_AGENT_HEADER]);
break;
}
}
} }

2
scripts/policy/frameworks/intel/seen/http-url.zeek
View file

@ -2,7 +2,7 @@
@load base/protocols/http/utils @load base/protocols/http/utils
@load ./where-locations @load ./where-locations
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &group="Intel::URL"
{ {
if ( is_orig && c?$http ) if ( is_orig && c?$http )
Intel::seen([$indicator=HTTP::build_url(c$http), Intel::seen([$indicator=HTTP::build_url(c$http),

2
scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek
View file

@ -2,7 +2,7 @@
@load base/protocols/ssh @load base/protocols/ssh
@load ./where-locations @load ./where-locations
event ssh_server_host_key(c: connection, hash: string) event ssh_server_host_key(c: connection, hash: string) &group="Intel::PUBKEY_HASH"
{ {
local seen = Intel::Seen($indicator=hash, local seen = Intel::Seen($indicator=hash,
$indicator_type=Intel::PUBKEY_HASH, $indicator_type=Intel::PUBKEY_HASH,

2
scripts/policy/frameworks/intel/seen/smb-filenames.zeek
View file

@ -2,7 +2,7 @@
@load base/frameworks/intel @load base/frameworks/intel
@load ./where-locations @load ./where-locations
event file_new(f: fa_file) event file_new(f: fa_file) &group="Intel::FILE_NAME"
{ {
if ( f$source != "SMB" ) if ( f$source != "SMB" )
return; return;

4
scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek
View file

@ -3,7 +3,7 @@
@load base/utils/urls @load base/utils/urls
@load ./where-locations @load ./where-locations
event intel_mime_data(f: fa_file, data: string) event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
{ {
if ( ! f?$conns ) if ( ! f?$conns )
return; return;
@ -21,7 +21,7 @@ event intel_mime_data(f: fa_file, data: string)
} }
} }
event file_new(f: fa_file) event file_new(f: fa_file) &group="Intel::URL"
{ {
if ( f$source == "SMTP" ) if ( f$source == "SMTP" )
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]); Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);

24
scripts/policy/frameworks/intel/seen/smtp.zeek
View file

@ -3,7 +3,7 @@
@load base/protocols/smtp @load base/protocols/smtp
@load ./where-locations @load ./where-locations
event mime_end_entity(c: connection) event mime_end_entity(c: connection) &group="Intel::ADDR"
{ {
if ( c?$smtp ) if ( c?$smtp )
{ {
@ -18,17 +18,29 @@ event mime_end_entity(c: connection)
} }
} }
if ( c$smtp?$x_originating_ip )
Intel::seen([$host=c$smtp$x_originating_ip,
$conn=c,
$where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
}
}
event mime_end_entity(c: connection) &group="Intel::SOFTWARE"
{
if ( c?$smtp )
{
if ( c$smtp?$user_agent ) if ( c$smtp?$user_agent )
Intel::seen([$indicator=c$smtp$user_agent, Intel::seen([$indicator=c$smtp$user_agent,
$indicator_type=Intel::SOFTWARE, $indicator_type=Intel::SOFTWARE,
$conn=c, $conn=c,
$where=SMTP::IN_HEADER]); $where=SMTP::IN_HEADER]);
}
}
if ( c$smtp?$x_originating_ip ) event mime_end_entity(c: connection) &group="Intel::EMAIL"
Intel::seen([$host=c$smtp$x_originating_ip, {
$conn=c, if ( c?$smtp )
$where=SMTP::IN_X_ORIGINATING_IP_HEADER]); {
if ( c$smtp?$mailfrom ) if ( c$smtp?$mailfrom )
{ {
Intel::seen([$indicator=c$smtp$mailfrom, Intel::seen([$indicator=c$smtp$mailfrom,

4
scripts/policy/frameworks/intel/seen/ssl.zeek
View file

@ -2,7 +2,7 @@
@load base/protocols/ssl @load base/protocols/ssl
@load ./where-locations @load ./where-locations
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &group="Intel::DOMAIN"
{ {
if ( is_orig && c?$ssl && c$ssl?$server_name ) if ( is_orig && c?$ssl && c$ssl?$server_name )
Intel::seen([$indicator=c$ssl$server_name, Intel::seen([$indicator=c$ssl$server_name,
@ -11,7 +11,7 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
$where=SSL::IN_SERVER_NAME]); $where=SSL::IN_SERVER_NAME]);
} }
event ssl_established(c: connection) event ssl_established(c: connection) &group="Intel::DOMAIN"
{ {
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 ) ! c$ssl$cert_chain[0]?$x509 )

9
scripts/policy/frameworks/intel/seen/x509.zeek
View file

@ -9,7 +9,7 @@ export {
option enable_x509_ext_subject_alternative_name = T; option enable_x509_ext_subject_alternative_name = T;
} }
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &group="Intel::DOMAIN"
{ {
if ( enable_x509_ext_subject_alternative_name && ext?$dns ) if ( enable_x509_ext_subject_alternative_name && ext?$dns )
{ {
@ -21,7 +21,7 @@ event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativ
} }
} }
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &group="Intel::EMAIL"
{ {
if ( /emailAddress=/ in cert$subject ) if ( /emailAddress=/ in cert$subject )
{ {
@ -32,7 +32,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
$f=f, $f=f,
$where=X509::IN_CERT]); $where=X509::IN_CERT]);
} }
}
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &group="Intel::CERT_HASH"
{
if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event... if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event...
{ {
Intel::seen([$indicator=f$info$sha1, Intel::seen([$indicator=f$info$sha1,
@ -42,7 +45,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
} }
} }
event file_hash(f: fa_file, kind: string, hash: string) event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::CERT_HASH"
{ {
if ( ! f?$info || ! f$info?$x509 || kind != "sha1" ) if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
return; return;