Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek

Browse source 
* 'topic/mohan/intel-event-groups' of https://github.com/Mohan-Dhawan/zeek:
  coalesce smtp handlers for ADDR
  Add fine-grained groups for Intel events
This commit is contained in:
Arne Welzel 2025-04-29 15:00:44 +02:00
commit d5e1dc27c6
13 changed files with 106 additions and 67 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGES
View file

@ -1,3 +1,9 @@
8.0.0-dev.10 | 2025-04-29 15:00:44 +0200
* coalesce smtp handlers for ADDR (Mohan Dhawan, Corelight)
* Add fine-grained groups for Intel events (Mohan Dhawan, Corelight)
8.0.0-dev.7 | 2025-04-28 19:41:01 +0200
* broker/WebSocketShim: Check RegisterFd() return (Arne Welzel, Corelight)

2
VERSION
View file

@ -1 +1 @@
8.0.0-dev.7
8.0.0-dev.10

2
scripts/policy/frameworks/intel/seen/dns.zeek
View file

@ -1,7 +1,7 @@
@load base/frameworks/intel
@load ./where-locations
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &group="Intel::DOMAIN"
{
Intel::seen([$indicator=query,
$indicator_type=Intel::DOMAIN,

2
scripts/policy/frameworks/intel/seen/file-hashes.zeek
View file

@ -1,7 +1,7 @@
@load base/frameworks/intel
@load ./where-locations
event file_hash(f: fa_file, kind: string, hash: string)
event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::FILE_HASH"
{
local seen = Intel::Seen($indicator=hash,
$indicator_type=Intel::FILE_HASH,

10
scripts/policy/frameworks/intel/seen/file-names.zeek
View file

@ -1,7 +1,7 @@
@load base/frameworks/intel
@load ./where-locations
event file_new(f: fa_file)
event file_new(f: fa_file) &group="Intel::FILE_NAME"
{
# If there are connections attached, we'll be using
# file_over_new_connection() for reporting the
@ -16,11 +16,11 @@ event file_new(f: fa_file)
$where=Files::IN_NAME]);
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 &group="Intel::FILE_NAME"
{
# Skip SMB, there's a custom implementation in smb-filenames.zeek
if ( f$source == "SMB" )
return;
# Skip SMB, there's a custom implementation in smb-filenames.zeek
if ( f$source == "SMB" )
return;
if ( f?$info && f$info?$filename )
Intel::seen([$indicator=f$info$filename,

104
scripts/policy/frameworks/intel/seen/http-headers.zeek
View file

@ -2,54 +2,72 @@
@load ./where-locations
@load base/utils/addrs
event http_header(c: connection, is_orig: bool, name: string, value: string)
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::ADDR"
{
if ( is_orig )
if ( ! is_orig )
return;
switch ( name )
{
switch ( name )
case "HOST":
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
break;
case "X-FORWARDED-FOR":
if ( is_valid_ip(value) )
{
case "HOST":
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
else
Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
break;
case "REFERER":
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER]);
break;
case "X-FORWARDED-FOR":
if ( is_valid_ip(value) )
local addrs = extract_ip_addresses(value);
for ( i in addrs )
{
local addrs = extract_ip_addresses(value);
for ( i in addrs )
{
Intel::seen([$host=to_addr(addrs[i]),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
}
Intel::seen([$host=to_addr(addrs[i]),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
}
break;
case "USER-AGENT":
Intel::seen([$indicator=value,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=HTTP::IN_USER_AGENT_HEADER]);
break;
}
break;
}
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN"
{
if ( ! is_orig || name != "HOST" )
return;
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( ! is_valid_ip(host) )
Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL"
{
if ( ! is_orig || name != "REFERER" )
return;
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER]);
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE"
{
if ( ! is_orig || name != "USER-AGENT" )
return;
Intel::seen([$indicator=value,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=HTTP::IN_USER_AGENT_HEADER]);
}

2
scripts/policy/frameworks/intel/seen/http-url.zeek
View file

@ -2,7 +2,7 @@
@load base/protocols/http/utils
@load ./where-locations
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &group="Intel::URL"
{
if ( is_orig && c?$http )
Intel::seen([$indicator=HTTP::build_url(c$http),

2
scripts/policy/frameworks/intel/seen/pubkey-hashes.zeek
View file

@ -2,7 +2,7 @@
@load base/protocols/ssh
@load ./where-locations
event ssh_server_host_key(c: connection, hash: string)
event ssh_server_host_key(c: connection, hash: string) &group="Intel::PUBKEY_HASH"
{
local seen = Intel::Seen($indicator=hash,
$indicator_type=Intel::PUBKEY_HASH,

2
scripts/policy/frameworks/intel/seen/smb-filenames.zeek
View file

@ -2,7 +2,7 @@
@load base/frameworks/intel
@load ./where-locations
event file_new(f: fa_file)
event file_new(f: fa_file) &group="Intel::FILE_NAME"
{
if ( f$source != "SMB" )
return;

4
scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek
View file

@ -3,7 +3,7 @@
@load base/utils/urls
@load ./where-locations
event intel_mime_data(f: fa_file, data: string)
event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
{
if ( ! f?$conns )
return;
@ -21,7 +21,7 @@ event intel_mime_data(f: fa_file, data: string)
}
}
event file_new(f: fa_file)
event file_new(f: fa_file) &group="Intel::URL"
{
if ( f$source == "SMTP" )
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);

24
scripts/policy/frameworks/intel/seen/smtp.zeek
View file

@ -3,7 +3,7 @@
@load base/protocols/smtp
@load ./where-locations
event mime_end_entity(c: connection)
event mime_end_entity(c: connection) &group="Intel::ADDR"
{
if ( c?$smtp )
{
@ -18,17 +18,29 @@ event mime_end_entity(c: connection)
}
}
if ( c$smtp?$x_originating_ip )
Intel::seen([$host=c$smtp$x_originating_ip,
$conn=c,
$where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
}
}
event mime_end_entity(c: connection) &group="Intel::SOFTWARE"
{
if ( c?$smtp )
{
if ( c$smtp?$user_agent )
Intel::seen([$indicator=c$smtp$user_agent,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=SMTP::IN_HEADER]);
}
}
if ( c$smtp?$x_originating_ip )
Intel::seen([$host=c$smtp$x_originating_ip,
$conn=c,
$where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
if ( c?$smtp )
{
if ( c$smtp?$mailfrom )
{
Intel::seen([$indicator=c$smtp$mailfrom,

4
scripts/policy/frameworks/intel/seen/ssl.zeek
View file

@ -2,7 +2,7 @@
@load base/protocols/ssl
@load ./where-locations
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &group="Intel::DOMAIN"
{
if ( is_orig && c?$ssl && c$ssl?$server_name )
Intel::seen([$indicator=c$ssl$server_name,
@ -11,7 +11,7 @@ event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec)
$where=SSL::IN_SERVER_NAME]);
}
event ssl_established(c: connection)
event ssl_established(c: connection) &group="Intel::DOMAIN"
{
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 ||
! c$ssl$cert_chain[0]?$x509 )

9
scripts/policy/frameworks/intel/seen/x509.zeek
View file

@ -9,7 +9,7 @@ export {
option enable_x509_ext_subject_alternative_name = T;
}
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName)
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &group="Intel::DOMAIN"
{
if ( enable_x509_ext_subject_alternative_name && ext?$dns )
{
@ -21,7 +21,7 @@ event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativ
}
}
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &group="Intel::EMAIL"
{
if ( /emailAddress=/ in cert$subject )
{
@ -32,7 +32,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
$f=f,
$where=X509::IN_CERT]);
}
}
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &group="Intel::CERT_HASH"
{
if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event...
{
Intel::seen([$indicator=f$info$sha1,
@ -42,7 +45,7 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
}
}
event file_hash(f: fa_file, kind: string, hash: string)
event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::CERT_HASH"
{
if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
return;