Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Prefer explicit construction to coercion in record initialization

Browse source 
While we support initializing records via coercion from an expression
list, e.g.,

    local x: X = [$x1=1, $x2=2];

this can sometimes obscure the code to readers, e.g., when assigning to
value declared and typed elsewhere. The language runtime has a similar
overhead since instead of just constructing a known type it needs to
check at runtime that the coercion from the expression list is valid;
this can be slower than just writing the readible code in the first
place, see #4559.

With this patch we use explicit construction, e.g.,

    local x = X($x1=1, $x2=2);
This commit is contained in:
Benjamin Bannier 2025-07-10 09:42:44 +02:00 committed by Christian Kreibich
parent 54f9e45597
commit d5fd29edcd
139 changed files with 786 additions and 788 deletions
Download patch file Download diff file Expand all files Collapse all files

4
scripts/policy/frameworks/analyzer/debug-logging.zeek
View file

@ -69,8 +69,8 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $path="analyzer_debug", $policy=log_policy,
$event_groups=set("Analyzer::DebugLogging")]);
Log::create_stream(LOG, Log::Stream($columns=Info, $path="analyzer_debug", $policy=log_policy,
$event_groups=set("Analyzer::DebugLogging")));
local enable_handler = function(id: string, new_value: bool): bool {
if ( new_value )

2
scripts/policy/frameworks/analyzer/deprecated-dpd-log.zeek
View file

@ -33,7 +33,7 @@ redef record connection += {
event zeek_init() &priority=5
{
Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
Log::create_stream(DPD::LOG, Log::Stream($columns=Info, $path="dpd", $policy=log_policy));
}
# before the same event in dpd.zeek

10
scripts/policy/frameworks/analyzer/detect-protocols.zeek
View file

@ -93,7 +93,7 @@ function get_protocol(c: connection, a: AllAnalyzers::Tag) : protocol
str = |str| > 0 ? fmt("%s/%s", str, p) : p;
}
return [$a=Analyzer::name(a), $sub=str];
return protocol($a=Analyzer::name(a), $sub=str);
}
function fmt_protocol(p: protocol) : string
@ -115,9 +115,9 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
local p = get_protocol(c, a);
local s = fmt_protocol(p);
NOTICE([$note=Protocol_Found,
NOTICE(Notice::Info($note=Protocol_Found,
$msg=fmt("%s %s on port %s", id_string(c$id), s, c$id$resp_p),
$sub=s, $conn=c]);
$sub=s, $conn=c));
# We report multiple Server_Found's per host if we find a new
# sub-protocol.
@ -130,10 +130,10 @@ function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
if ( (! known || newsub) && a !in suppress_servers )
{
NOTICE([$note=Server_Found,
NOTICE(Notice::Info($note=Server_Found,
$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s,
c$id$resp_p, (known ? " (update)" : "")),
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h]);
$p=c$id$resp_p, $sub=s, $conn=c, $src=c$id$resp_h));
if ( ! known )
servers[c$id$resp_h, c$id$resp_p, p$a] = set();

4
scripts/policy/frameworks/intel/seen/conn-established.zeek
View file

@ -6,7 +6,7 @@ event connection_established(c: connection)
if ( c$orig$state == TCP_ESTABLISHED &&
c$resp$state == TCP_ESTABLISHED )
{
Intel::seen([$host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG]);
Intel::seen([$host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP]);
Intel::seen(Intel::Seen($host=c$id$orig_h, $conn=c, $where=Conn::IN_ORIG));
Intel::seen(Intel::Seen($host=c$id$resp_h, $conn=c, $where=Conn::IN_RESP));
}
}

8
scripts/policy/frameworks/intel/seen/dns.zeek
View file

@ -3,8 +3,8 @@
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &group="Intel::DOMAIN"
{
Intel::seen([$indicator=query,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=DNS::IN_REQUEST]);
Intel::seen(Intel::Seen($indicator=query,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=DNS::IN_REQUEST));
}

16
scripts/policy/frameworks/intel/seen/file-names.zeek
View file

@ -10,10 +10,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
return;
if ( f?$info && f$info?$filename )
Intel::seen([$indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME]);
Intel::seen(Intel::Seen($indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME));
}
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=-5 &group="Intel::FILE_NAME"
@ -23,8 +23,8 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
return;
if ( f?$info && f$info?$filename )
Intel::seen([$indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME]);
Intel::seen(Intel::Seen($indicator=f$info$filename,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=Files::IN_NAME));
}

46
scripts/policy/frameworks/intel/seen/http-headers.zeek
View file

@ -13,10 +13,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( is_valid_ip(host) )
Intel::seen([$host=to_addr(host),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
Intel::seen(Intel::Seen($host=to_addr(host),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_HOST_HEADER));
break;
case "X-FORWARDED-FOR":
@ -25,10 +25,10 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
local addrs = extract_ip_addresses(value);
for ( i in addrs )
{
Intel::seen([$host=to_addr(addrs[i]),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_X_FORWARDED_FOR_HEADER]);
Intel::seen(Intel::Seen($host=to_addr(addrs[i]),
$indicator_type=Intel::ADDR,
$conn=c,
$where=HTTP::IN_X_FORWARDED_FOR_HEADER));
}
}
break;
@ -38,36 +38,36 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &gr
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::DOMAIN"
{
if ( ! is_orig || name != "HOST" )
return;
return;
# Remove the occasional port value that shows up here.
local host = gsub(value, /:[[:digit:]]+$/, "");
if ( ! is_valid_ip(host) )
Intel::seen([$indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER]);
Intel::seen(Intel::Seen($indicator=host,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=HTTP::IN_HOST_HEADER));
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::URL"
{
if ( ! is_orig || name != "REFERER" )
return;
return;
Intel::seen([$indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER]);
Intel::seen(Intel::Seen($indicator=sub(value, /^.*:\/\//, ""),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_REFERRER_HEADER));
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &group="Intel::SOFTWARE"
{
if ( ! is_orig || name != "USER-AGENT" )
return;
return;
Intel::seen([$indicator=value,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=HTTP::IN_USER_AGENT_HEADER]);
Intel::seen(Intel::Seen($indicator=value,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=HTTP::IN_USER_AGENT_HEADER));
}

8
scripts/policy/frameworks/intel/seen/http-url.zeek
View file

@ -5,8 +5,8 @@
event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &group="Intel::URL"
{
if ( is_orig && c?$http )
Intel::seen([$indicator=HTTP::build_url(c$http),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_URL]);
Intel::seen(Intel::Seen($indicator=HTTP::build_url(c$http),
$indicator_type=Intel::URL,
$conn=c,
$where=HTTP::IN_URL));
}

8
scripts/policy/frameworks/intel/seen/smb-filenames.zeek
View file

@ -14,10 +14,10 @@ event file_new(f: fa_file) &group="Intel::FILE_NAME"
{
local split_fname = split_string(c$smb_state$current_file$name, /\\/);
local fname = split_fname[|split_fname|-1];
Intel::seen([$indicator=fname,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=SMB::IN_FILE_NAME]);
Intel::seen(Intel::Seen($indicator=fname,
$indicator_type=Intel::FILE_NAME,
$f=f,
$where=SMB::IN_FILE_NAME));
}
}
}

10
scripts/policy/frameworks/intel/seen/smtp-url-extraction.zeek
View file

@ -13,10 +13,10 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
local urls = find_all_urls_without_scheme(data);
for ( url in urls )
{
Intel::seen([$indicator=url,
$indicator_type=Intel::URL,
$conn=c,
$where=SMTP::IN_MESSAGE]);
Intel::seen(Intel::Seen($indicator=url,
$indicator_type=Intel::URL,
$conn=c,
$where=SMTP::IN_MESSAGE));
}
}
}
@ -24,5 +24,5 @@ event intel_mime_data(f: fa_file, data: string) &group="Intel::URL"
event file_new(f: fa_file) &group="Intel::URL"
{
if ( f$source == "SMTP" )
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, [$stream_event=intel_mime_data]);
Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, Files::AnalyzerArgs($stream_event=intel_mime_data));
}

68
scripts/policy/frameworks/intel/seen/smtp.zeek
View file

@ -12,16 +12,16 @@ event mime_end_entity(c: connection) &group="Intel::ADDR"
local path = c$smtp$path;
for ( i in path )
{
Intel::seen([$host=path[i],
$conn=c,
$where=SMTP::IN_RECEIVED_HEADER]);
Intel::seen(Intel::Seen($host=path[i],
$conn=c,
$where=SMTP::IN_RECEIVED_HEADER));
}
}
if ( c$smtp?$x_originating_ip )
Intel::seen([$host=c$smtp$x_originating_ip,
$conn=c,
$where=SMTP::IN_X_ORIGINATING_IP_HEADER]);
Intel::seen(Intel::Seen($host=c$smtp$x_originating_ip,
$conn=c,
$where=SMTP::IN_X_ORIGINATING_IP_HEADER));
}
}
@ -30,10 +30,10 @@ event mime_end_entity(c: connection) &group="Intel::SOFTWARE"
if ( c?$smtp )
{
if ( c$smtp?$user_agent )
Intel::seen([$indicator=c$smtp$user_agent,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=SMTP::IN_HEADER]);
Intel::seen(Intel::Seen($indicator=c$smtp$user_agent,
$indicator_type=Intel::SOFTWARE,
$conn=c,
$where=SMTP::IN_HEADER));
}
}
@ -43,20 +43,20 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
if ( c$smtp?$mailfrom )
{
Intel::seen([$indicator=c$smtp$mailfrom,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_MAIL_FROM]);
Intel::seen(Intel::Seen($indicator=c$smtp$mailfrom,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_MAIL_FROM ));
}
if ( c$smtp?$rcptto )
{
for ( rcptto_addr in c$smtp$rcptto )
{
Intel::seen([$indicator=rcptto_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_RCPT_TO]);
Intel::seen(Intel::Seen($indicator=rcptto_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_RCPT_TO));
}
}
@ -64,10 +64,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
for ( from_addr in extract_email_addrs_set(c$smtp$from) )
{
Intel::seen([$indicator=from_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_FROM]);
Intel::seen(Intel::Seen($indicator=from_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_FROM));
}
}
@ -75,10 +75,10 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
for ( email_to_addr in c$smtp$to )
{
Intel::seen([$indicator=extract_first_email_addr(email_to_addr),
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_TO]);
Intel::seen(Intel::Seen($indicator=extract_first_email_addr(email_to_addr),
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_TO));
}
}
@ -86,19 +86,19 @@ event mime_end_entity(c: connection) &group="Intel::EMAIL"
{
for ( cc_addr in c$smtp$cc )
{
Intel::seen([$indicator=cc_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_CC]);
Intel::seen(Intel::Seen($indicator=cc_addr,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_CC));
}
}
if ( c$smtp?$reply_to )
{
Intel::seen([$indicator=c$smtp$reply_to,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_REPLY_TO]);
Intel::seen(Intel::Seen($indicator=c$smtp$reply_to,
$indicator_type=Intel::EMAIL,
$conn=c,
$where=SMTP::IN_REPLY_TO));
}
}
}

12
scripts/policy/frameworks/intel/seen/ssl.zeek
View file

@ -5,10 +5,10 @@
event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &group="Intel::DOMAIN"
{
if ( is_orig && c?$ssl && c$ssl?$server_name )
Intel::seen([$indicator=c$ssl$server_name,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=SSL::IN_SERVER_NAME]);
Intel::seen(Intel::Seen($indicator=c$ssl$server_name,
$indicator_type=Intel::DOMAIN,
$conn=c,
$where=SSL::IN_SERVER_NAME));
}
event ssl_established(c: connection) &group="Intel::DOMAIN"
@ -18,9 +18,9 @@ event ssl_established(c: connection) &group="Intel::DOMAIN"
return;
if ( c$ssl$cert_chain[0]$x509?$certificate && c$ssl$cert_chain[0]$x509$certificate?$cn )
Intel::seen([$indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
Intel::seen(Intel::Seen($indicator=c$ssl$cert_chain[0]$x509$certificate$cn,
$indicator_type=Intel::DOMAIN,
$fuid=c$ssl$cert_chain[0]$fuid,
$conn=c,
$where=X509::IN_CERT]);
$where=X509::IN_CERT));
}

32
scripts/policy/frameworks/intel/seen/x509.zeek
View file

@ -5,8 +5,8 @@
module Intel;
export {
## Enables the extraction of subject alternate names from the X509 SAN DNS field
option enable_x509_ext_subject_alternative_name = T;
## Enables the extraction of subject alternate names from the X509 SAN DNS field
option enable_x509_ext_subject_alternative_name = T;
}
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &group="Intel::DOMAIN"
@ -14,10 +14,10 @@ event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativ
if ( enable_x509_ext_subject_alternative_name && ext?$dns )
{
for ( i in ext$dns )
Intel::seen([$indicator=ext$dns[i],
Intel::seen(Intel::Seen($indicator=ext$dns[i],
$indicator_type=Intel::DOMAIN,
$f=f,
$where=X509::IN_CERT]);
$where=X509::IN_CERT));
}
}
@ -27,10 +27,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
{
local email = sub(cert$subject, /^.*emailAddress=/, "");
email = sub(email, /,.*$/, "");
Intel::seen([$indicator=email,
$indicator_type=Intel::EMAIL,
$f=f,
$where=X509::IN_CERT]);
Intel::seen(Intel::Seen($indicator=email,
$indicator_type=Intel::EMAIL,
$f=f,
$where=X509::IN_CERT));
}
}
@ -38,10 +38,10 @@ event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certifi
{
if ( f$info?$sha1 ) # if the file_hash event was raised before the x509 event...
{
Intel::seen([$indicator=f$info$sha1,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT]);
Intel::seen(Intel::Seen($indicator=f$info$sha1,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT));
}
}
@ -50,8 +50,8 @@ event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::CERT_HASH
if ( ! f?$info || ! f$info?$x509 || kind != "sha1" )
return;
Intel::seen([$indicator=hash,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT]);
Intel::seen(Intel::Seen($indicator=hash,
$indicator_type=Intel::CERT_HASH,
$f=f,
$where=X509::IN_CERT));
}

16
scripts/policy/frameworks/management/log.zeek
View file

@ -88,8 +88,8 @@ function debug(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[DEBUG],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[DEBUG],
$role=r2s[Management::role], $message=message));
}
function info(message: string)
@ -98,8 +98,8 @@ function info(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[INFO],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[INFO],
$role=r2s[Management::role], $message=message));
}
function warning(message: string)
@ -108,8 +108,8 @@ function warning(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[WARNING],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[WARNING],
$role=r2s[Management::role], $message=message));
}
function error(message: string)
@ -118,8 +118,8 @@ function error(message: string)
return;
local node = Supervisor::node();
Log::write(LOG, [$ts=network_time(), $node=node$name, $level=l2s[ERROR],
$role=r2s[Management::role], $message=message]);
Log::write(LOG, Info($ts=network_time(), $node=node$name, $level=l2s[ERROR],
$role=r2s[Management::role], $message=message));
}
# Bump priority to ensure the log stream exists when other zeek_init handlers use it.

4
scripts/policy/frameworks/management/supervisor/main.zeek
View file

@ -29,8 +29,8 @@ global g_outputs: table[string] of NodeOutputStreams;
function make_node_output_streams(node: string): NodeOutputStreams
{
local stdout = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
local stderr = Queue::init([$max_len = Management::Supervisor::output_max_lines]);
local stdout = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
local stderr = Queue::init(Queue::Settings($max_len = Management::Supervisor::output_max_lines));
local res = NodeOutputStreams($stdout=stdout, $stderr=stderr);
local status = Supervisor::status(node);

2
scripts/policy/frameworks/netcontrol/catch-and-release.zeek
View file

@ -168,7 +168,7 @@ global catch_release_recently_notified: set[addr] &create_expire=30secs;
event zeek_init() &priority=5
{
Log::create_stream(NetControl::CATCH_RELEASE, [$columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release]);
Log::create_stream(NetControl::CATCH_RELEASE, Log::Stream($columns=CatchReleaseInfo, $ev=log_netcontrol_catch_release, $path="netcontrol_catch_release", $policy=log_policy_catch_release));
}
function get_watch_interval(current_interval: count): interval

16
scripts/policy/frameworks/packet-filter/shunt.zeek
View file

@ -78,9 +78,9 @@ function shunt_filters()
event zeek_init() &priority=5
{
register_filter_plugin([
register_filter_plugin(FilterPlugin(
$func()={ return shunt_filters(); }
]);
));
}
function current_shunted_conns(): set[conn_id]
@ -97,8 +97,8 @@ function reached_max_shunts(): bool
{
if ( |shunted_conns| + |shunted_host_pairs| > max_bpf_shunts )
{
NOTICE([$note=No_More_Conn_Shunts_Available,
$msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)]);
NOTICE(Notice::Info($note=No_More_Conn_Shunts_Available,
$msg=fmt("%d BPF shunts are in place and no more will be added until space clears.", max_bpf_shunts)));
return T;
}
else
@ -145,10 +145,10 @@ function shunt_conn(id: conn_id): bool
{
if ( is_v6_addr(id$orig_h) )
{
NOTICE([$note=Cannot_BPF_Shunt_Conn,
$msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
$sub="ipv6_conn",
$id=id, $identifier=cat(id)]);
NOTICE(Notice::Info($note=Cannot_BPF_Shunt_Conn,
$msg="IPv6 connections can't be shunted with BPF due to limitations in BPF",
$sub="ipv6_conn",
$id=id, $identifier=cat(id)));
return F;
}

6
scripts/policy/frameworks/software/version-changes.zeek
View file

@ -30,8 +30,8 @@ event Software::version_change(old: Software::Info, new: Software::Info)
local msg = fmt("%.6f %s '%s' version changed from %s to %s",
network_time(), old$software_type, old$name,
software_fmt_version(old$version),
software_fmt_version(new$version));
software_fmt_version(new$version));
NOTICE([$note=Software_Version_Change, $src=new$host,
$msg=msg, $sub=software_fmt(new)]);
NOTICE(Notice::Info($note=Software_Version_Change, $src=new$host,
$msg=msg, $sub=software_fmt(new)));
}

8
scripts/policy/frameworks/software/vulnerable.zeek
View file

@ -47,7 +47,7 @@ function decode_vulnerable_version_range(vuln_sw: string): VulnerableVersionRang
{
# Create a max value with a dunce value only because the $max field
# is not optional.
local vvr: Software::VulnerableVersionRange = [$max=[$major=0]];
local vvr = Software::VulnerableVersionRange($max=Software::Version($major=0));
if ( /max=/ !in vuln_sw )
{
@ -138,9 +138,9 @@ event log_software(rec: Info)
(!version_range?$min || cmp_versions(rec$version, version_range$min) >= 0) )
{
# The software is inside a vulnerable version range.
NOTICE([$note=Vulnerable_Version, $src=rec$host,
$msg=fmt("%s is running %s which is vulnerable.", rec$host, software_fmt(rec)),
$sub=software_fmt(rec)]);
NOTICE(Notice::Info($note=Vulnerable_Version, $src=rec$host,
$msg=fmt("%s is running %s which is vulnerable.", rec$host, software_fmt(rec)),
$sub=software_fmt(rec)));
}
}
}

4
scripts/policy/frameworks/software/windows-version-detection.zeek
View file

@ -59,12 +59,12 @@ event HTTP::log_http(rec: HTTP::Info) &priority=5
{
if ( rec$user_agent !in crypto_api_mapping )
{
Software::found(rec$id, [$unparsed_version=sub(rec$user_agent, /Microsoft-CryptoAPI/, "Unknown CryptoAPI Version"), $host=rec$id$orig_h, $software_type=WINDOWS]);
Software::found(rec$id, Software::Info($unparsed_version=sub(rec$user_agent, /Microsoft-CryptoAPI/, "Unknown CryptoAPI Version"), $host=rec$id$orig_h, $software_type=WINDOWS));
}
else
{
local result = crypto_api_mapping[rec$user_agent];
Software::found(rec$id, [$version=result$version, $name=result$name, $host=rec$id$orig_h, $software_type=WINDOWS]);
Software::found(rec$id, Software::Info($version=result$version, $name=result$name, $host=rec$id$orig_h, $software_type=WINDOWS));
}
}
}

4
scripts/policy/frameworks/telemetry/log.zeek
View file

@ -187,8 +187,8 @@ event Telemetry::log()
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $ev=log_telemetry, $path="telemetry", $policy=log_policy]);
Log::create_stream(LOG_HISTOGRAM, [$columns=HistogramInfo, $ev=log_telemetry_histogram, $path="telemetry_histogram", $policy=log_policy_histogram]);
Log::create_stream(LOG, Log::Stream($columns=Info, $ev=log_telemetry, $path="telemetry", $policy=log_policy));
Log::create_stream(LOG_HISTOGRAM, Log::Stream($columns=HistogramInfo, $ev=log_telemetry_histogram, $path="telemetry_histogram", $policy=log_policy_histogram));
schedule log_interval { Telemetry::log() };
}

20
scripts/policy/misc/capture-loss.zeek
View file

@ -75,19 +75,19 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
local acks = g$ack_events - last_acks;
local gaps = g$gap_events - last_gaps;
local pct_lost = (acks == 0) ? 0.0 : (100 * (1.0 * gaps) / (1.0 * acks));
local info: Info = [$ts=now,
$ts_delta=now-last_ts,
$peer=peer_description,
$acks=acks, $gaps=gaps,
$percent_lost=pct_lost];
local info = Info($ts=now,
$ts_delta=now-last_ts,
$peer=peer_description,
$acks=acks, $gaps=gaps,
$percent_lost=pct_lost);
if ( pct_lost >= too_much_loss*100 )
NOTICE([$note=Too_Much_Loss,
$msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)]);
NOTICE(Notice::Info($note=Too_Much_Loss,
$msg=fmt("The capture loss script detected an estimated loss rate above %.3f%%", pct_lost)));
if ( acks < minimum_acks )
NOTICE([$note=Too_Little_Traffic,
$msg=fmt("Only observed %d TCP ACKs and was expecting at least %d.", acks, minimum_acks)]);
NOTICE(Notice::Info($note=Too_Little_Traffic,
$msg=fmt("Only observed %d TCP ACKs and was expecting at least %d.", acks, minimum_acks)));
Log::write(LOG, info);
schedule watch_interval { CaptureLoss::take_measurement(now, g$ack_events, g$gap_events) };
@ -95,7 +95,7 @@ event CaptureLoss::take_measurement(last_ts: time, last_acks: count, last_gaps:
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $path="capture_loss", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $path="capture_loss", $policy=log_policy));
# We only schedule the event if we are capturing packets.
if ( reading_live_traffic() || reading_traces() )

60
scripts/policy/misc/detect-traceroute/main.zeek
View file

@ -57,35 +57,35 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(Traceroute::LOG, [$columns=Info, $ev=log_traceroute, $path="traceroute", $policy=log_policy]);
Log::create_stream(Traceroute::LOG, Log::Stream($columns=Info, $ev=log_traceroute, $path="traceroute", $policy=log_policy));
local r1: SumStats::Reducer = [$stream="traceroute.time_exceeded", $apply=set(SumStats::UNIQUE)];
local r2: SumStats::Reducer = [$stream="traceroute.low_ttl_packet", $apply=set(SumStats::SUM)];
SumStats::create([$name="traceroute-detection",
$epoch=icmp_time_exceeded_interval,
$reducers=set(r1, r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
# Give a threshold value of zero depending on if the host
# sends a low ttl packet.
if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 )
return 0.0;
else
return result["traceroute.time_exceeded"]$unique+0;
},
$threshold=icmp_time_exceeded_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local parts = split_string_n(key$str, /-/, F, 2);
local src = to_addr(parts[0]);
local dst = to_addr(parts[1]);
local proto = parts[2];
Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]);
NOTICE([$note=Traceroute::Detected,
$msg=fmt("%s seems to be running traceroute using %s", src, proto),
$src=src,
$identifier=cat(src,proto)]);
}]);
local r1 = SumStats::Reducer($stream="traceroute.time_exceeded", $apply=set(SumStats::UNIQUE));
local r2 = SumStats::Reducer($stream="traceroute.low_ttl_packet", $apply=set(SumStats::SUM));
SumStats::create(SumStats::SumStat($name="traceroute-detection",
$epoch=icmp_time_exceeded_interval,
$reducers=set(r1, r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
# Give a threshold value of zero depending on if the host
# sends a low ttl packet.
if ( require_low_ttl_packets && result["traceroute.low_ttl_packet"]$sum == 0 )
return 0.0;
else
return result["traceroute.time_exceeded"]$unique+0;
},
$threshold=icmp_time_exceeded_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local parts = split_string_n(key$str, /-/, F, 2);
local src = to_addr(parts[0]);
local dst = to_addr(parts[1]);
local proto = parts[2];
Log::write(LOG, Info($ts=network_time(), $src=src, $dst=dst, $proto=proto));
NOTICE(Notice::Info($note=Traceroute::Detected,
$msg=fmt("%s seems to be running traceroute using %s", src, proto),
$src=src,
$identifier=cat(src,proto)));
}));
}
# Low TTL packets are detected with a signature.
@ -93,11 +93,11 @@ event signature_match(state: signature_state, msg: string, data: string)
{
if ( state$sig_id == /traceroute-detector.*/ )
{
SumStats::observe("traceroute.low_ttl_packet", [$str=cat(state$conn$id$orig_h,"-",state$conn$id$resp_h,"-",get_port_transport_proto(state$conn$id$resp_p))], [$num=1]);
SumStats::observe("traceroute.low_ttl_packet", SumStats::Key($str=cat(state$conn$id$orig_h,"-", state$conn$id$resp_h, "-", get_port_transport_proto(state$conn$id$resp_p))), SumStats::Observation($num=1));
}
}
event icmp_time_exceeded(c: connection, info: icmp_info, code: count, context: icmp_context)
{
SumStats::observe("traceroute.time_exceeded", [$str=cat(context$id$orig_h,"-",context$id$resp_h,"-",get_port_transport_proto(context$id$resp_p))], [$str=cat(c$id$orig_h)]);
SumStats::observe("traceroute.time_exceeded", SumStats::Key($str=cat(context$id$orig_h,"-", context$id$resp_h, "-", get_port_transport_proto(context$id$resp_p))), SumStats::Observation($str=cat(c$id$orig_h)));
}

4
scripts/policy/misc/loaded-scripts.zeek
View file

@ -31,10 +31,10 @@ function get_indent(level: count): string
event zeek_init() &priority=5
{
Log::create_stream(LoadedScripts::LOG, [$columns=Info, $path="loaded_scripts", $policy=log_policy]);
Log::create_stream(LoadedScripts::LOG, Log::Stream($columns=Info, $path="loaded_scripts", $policy=log_policy));
}
event zeek_script_loaded(path: string, level: count)
{
Log::write(LoadedScripts::LOG, [$name=cat(get_indent(level), compress_path(path))]);
Log::write(LOG, Info($name=cat(get_indent(level), compress_path(path))));
}

77
scripts/policy/misc/stats.zeek
View file

@ -89,56 +89,56 @@ export {
global log_stats: event(rec: Info);
}
global bytes_received_cf = Telemetry::register_counter_family([
global bytes_received_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="net-received-bytes",
$unit="",
$help_text="Total number of bytes received",
]);
));
global packets_received_cf = Telemetry::register_counter_family([
global packets_received_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="net-received-packets",
$unit="",
$help_text="Total number of packets received",
]);
));
global packets_dropped_cf = Telemetry::register_counter_family([
global packets_dropped_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="net-dropped-packets",
$unit="",
$help_text="Total number of packets dropped",
]);
));
global link_packets_cf = Telemetry::register_counter_family([
global link_packets_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="net-link-packets",
$unit="",
$help_text="Total number of packets on the packet source link before filtering",
]);
));
global packets_filtered_cf = Telemetry::register_counter_family([
global packets_filtered_cf = Telemetry::register_counter_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="net-filtered-packets",
$unit="",
$help_text="Total number of packets filtered",
]);
));
global packet_lag_gf = Telemetry::register_gauge_family([
global packet_lag_gf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="net-packet-lag",
$unit="seconds",
$help_text="Difference of network time and wallclock time in seconds.",
]);
));
# Gauge as motivated by:
# https://www.robustperception.io/are-increasing-timestamps-counters-or-gauges/
global network_time_cf = Telemetry::register_gauge_family([
global network_time_cf = Telemetry::register_gauge_family(Telemetry::MetricOpts(
$prefix="zeek",
$name="net-timestamp",
$unit="seconds",
$help_text="The current network time.",
]);
));
global no_labels: vector of string;
@ -164,7 +164,7 @@ hook Telemetry::sync()
event zeek_init() &priority=5
{
Log::create_stream(Stats::LOG, [$columns=Info, $ev=log_stats, $path="stats", $policy=log_policy]);
Log::create_stream(Stats::LOG, Log::Stream($columns=Info, $ev=log_stats, $path="stats", $policy=log_policy));
}
event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: ProcStats, last_es: EventStats, last_rs: ReassemblerStats, last_ts: TimerStats, last_fs: FileAnalysisStats, last_ds: DNSStats)
@ -179,36 +179,35 @@ event check_stats(then: time, last_ns: NetStats, last_cs: ConnStats, last_ps: Pr
local fs = get_file_analysis_stats();
local ds = get_dns_stats();
local info: Info = [$ts=nettime,
$peer=peer_description,
$mem=ps$mem/1048576,
$pkts_proc=ns$pkts_recvd - last_ns$pkts_recvd,
$bytes_recv = ns$bytes_recvd - last_ns$bytes_recvd,
local info = Info($ts=nettime,
$peer=peer_description,
$mem=ps$mem/1048576,
$pkts_proc=ns$pkts_recvd - last_ns$pkts_recvd,
$bytes_recv = ns$bytes_recvd - last_ns$bytes_recvd,
$active_tcp_conns=cs$num_tcp_conns,
$tcp_conns=cs$cumulative_tcp_conns - last_cs$cumulative_tcp_conns,
$active_udp_conns=cs$num_udp_conns,
$udp_conns=cs$cumulative_udp_conns - last_cs$cumulative_udp_conns,
$active_icmp_conns=cs$num_icmp_conns,
$icmp_conns=cs$cumulative_icmp_conns - last_cs$cumulative_icmp_conns,
$active_tcp_conns=cs$num_tcp_conns,
$tcp_conns=cs$cumulative_tcp_conns - last_cs$cumulative_tcp_conns,
$active_udp_conns=cs$num_udp_conns,
$udp_conns=cs$cumulative_udp_conns - last_cs$cumulative_udp_conns,
$active_icmp_conns=cs$num_icmp_conns,
$icmp_conns=cs$cumulative_icmp_conns - last_cs$cumulative_icmp_conns,
$reassem_tcp_size=rs$tcp_size,
$reassem_file_size=rs$file_size,
$reassem_frag_size=rs$frag_size,
$reassem_unknown_size=rs$unknown_size,
$reassem_tcp_size=rs$tcp_size,
$reassem_file_size=rs$file_size,
$reassem_frag_size=rs$frag_size,
$reassem_unknown_size=rs$unknown_size,
$events_proc=es$dispatched - last_es$dispatched,
$events_queued=es$queued - last_es$queued,
$events_proc=es$dispatched - last_es$dispatched,
$events_queued=es$queued - last_es$queued,
$timers=ts$cumulative - last_ts$cumulative,
$active_timers=ts$current,
$timers=ts$cumulative - last_ts$cumulative,
$active_timers=ts$current,
$files=fs$cumulative - last_fs$cumulative,
$active_files=fs$current,
$files=fs$cumulative - last_fs$cumulative,
$active_files=fs$current,
$dns_requests=ds$requests - last_ds$requests,
$active_dns_requests=ds$pending
];
$dns_requests=ds$requests - last_ds$requests,
$active_dns_requests=ds$pending);
# Someone's going to have to explain what this is and add a field to the Info record.
# info$util = 100.0*((ps$user_time + ps$system_time) - (last_ps$user_time + last_ps$system_time))/(now-then);

2
scripts/policy/misc/unknown-protocols.zeek
View file

@ -54,5 +54,5 @@ event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: stri
event zeek_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $path="unknown_protocols", $policy=log_policy]);
Log::create_stream(LOG, Log::Stream($columns=Info, $path="unknown_protocols", $policy=log_policy));
}

12
scripts/policy/misc/weird-stats.zeek
View file

@ -56,14 +56,14 @@ function weird_epoch_finished(ts: time)
event zeek_init() &priority=5
{
Log::create_stream(WeirdStats::LOG,
[$columns = Info, $ev = log_weird_stats,
$path="weird_stats", $policy=log_policy]);
Log::Stream($columns = Info, $ev = log_weird_stats,
$path="weird_stats", $policy=log_policy));
local r1 = SumStats::Reducer($stream = "weirds.encountered",
$apply = set(SumStats::SUM));
SumStats::create([$name = "weirds.statistics",
$epoch = weird_stat_interval, $reducers = set(r1),
$epoch_result = weird_epoch_results,
$epoch_finished = weird_epoch_finished]);
SumStats::create(SumStats::SumStat($name = "weirds.statistics",
$epoch = weird_stat_interval, $reducers = set(r1),
$epoch_result = weird_epoch_results,
$epoch_finished = weird_epoch_finished));
}
module SumStats;

4
scripts/policy/protocols/conn/known-hosts.zeek
View file

@ -150,7 +150,7 @@ event Known::host_found(info: HostsInfo)
event zeek_init() &priority=5
{
Log::create_stream(Known::HOSTS_LOG, [$columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts", $policy=log_policy_hosts]);
Log::create_stream(Known::HOSTS_LOG, Log::Stream($columns=HostsInfo, $ev=log_known_hosts, $path="known_hosts", $policy=log_policy_hosts));
}
event connection_established(c: connection) &priority=5
@ -165,5 +165,5 @@ event connection_established(c: connection) &priority=5
for ( host in set(id$orig_h, id$resp_h) )
if ( addr_matches_host(host, host_tracking) )
event Known::host_found([$ts = network_time(), $host = host]);
event Known::host_found(Known::HostsInfo($ts = network_time(), $host = host));
}

13
scripts/policy/protocols/conn/known-services.zeek
View file

@ -238,9 +238,8 @@ event known_service_add(info: ServicesInfo)
}
}
@if ( ! Cluster::is_enabled() ||
Cluster::local_node_type() == Cluster::PROXY )
Log::write(Known::SERVICES_LOG, info_to_log);
@if ( ! Cluster::is_enabled() || Cluster::local_node_type() == Cluster::PROXY )
Log::write(Known::SERVICES_LOG, info_to_log);
@endif
}
@ -376,8 +375,8 @@ event connection_state_remove(c: connection) &priority=-5
event zeek_init() &priority=5
{
Log::create_stream(Known::SERVICES_LOG, [$columns=ServicesInfo,
$ev=log_known_services,
$path="known_services",
$policy=log_policy_services]);
Log::create_stream(Known::SERVICES_LOG, Log::Stream($columns=ServicesInfo,
$ev=log_known_services,
$path="known_services",
$policy=log_policy_services));
}

16
scripts/policy/protocols/conn/weirds.zeek
View file

@ -19,16 +19,16 @@ export {
event rexmit_inconsistency(c: connection, t1: string, t2: string, tcp_flags: string)
{
NOTICE([$note=Retransmission_Inconsistency,
$conn=c,
$msg=fmt("%s rexmit inconsistency (%s) (%s) [%s]",
id_string(c$id), t1, t2, tcp_flags),
$identifier=fmt("%s", c$id)]);
NOTICE(Notice::Info($note=Retransmission_Inconsistency,
$conn=c,
$msg=fmt("%s rexmit inconsistency (%s) (%s) [%s]",
id_string(c$id), t1, t2, tcp_flags),
$identifier=fmt("%s", c$id)));
}
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
{
NOTICE([$note=Content_Gap, $conn=c,
$msg=fmt("%s content gap (%s %d/%d)",
id_string(c$id), is_orig ? ">" : "<", seq, length)]);
NOTICE(Notice::Info($note=Content_Gap, $conn=c,
$msg=fmt("%s content gap (%s %d/%d)",
id_string(c$id), is_orig ? ">" : "<", seq, length)));
}

28
scripts/policy/protocols/dhcp/software.zeek
View file

@ -30,9 +30,9 @@ event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string, is_orig: bool, ms
else
{
log_info$server_software = options$vendor_class;
Software::found(id, [$unparsed_version=options$vendor_class,
$host=id$resp_h,
$software_type=DHCP::SERVER]);
Software::found(id, Software::Info($unparsed_version=options$vendor_class,
$host=id$resp_h,
$software_type=DHCP::SERVER));
}
}
}
@ -42,24 +42,24 @@ event DHCP::log_dhcp(rec: DHCP::Info)
if ( rec?$assigned_addr && rec?$server_addr &&
(rec?$client_software || rec?$server_software) )
{
local id: conn_id = [$orig_h=rec$assigned_addr,
$orig_p=rec$client_port,
$resp_h=rec$server_addr,
$resp_p=rec$server_port,
$proto=17]; # DHCP is typically UDP
local id = conn_id($orig_h=rec$assigned_addr,
$orig_p=rec$client_port,
$resp_h=rec$server_addr,
$resp_p=rec$server_port,
$proto=17); # DHCP is typically UDP
if ( rec?$client_software && rec$assigned_addr != 255.255.255.255 )
{
Software::found(id, [$unparsed_version=rec$client_software,
$host=rec$assigned_addr, $host_p=id$orig_p,
$software_type=DHCP::CLIENT]);
Software::found(id, Software::Info($unparsed_version=rec$client_software,
$host=rec$assigned_addr, $host_p=id$orig_p,
$software_type=DHCP::CLIENT));
}
if ( rec?$server_software )
{
Software::found(id, [$unparsed_version=rec$server_software,
$host=rec$server_addr, $host_p=id$resp_p,
$software_type=DHCP::SERVER]);
Software::found(id, Software::Info($unparsed_version=rec$server_software,
$host=rec$server_addr, $host_p=id$resp_p,
$software_type=DHCP::SERVER));
}
}
}

8
scripts/policy/protocols/dns/detect-external-names.zeek
View file

@ -33,10 +33,10 @@ function detect_external_names(c: connection, msg: dns_msg, ans: dns_answer, a:
if ( Site::is_local_addr(a) && # referring to a local host
! Site::is_local_name(ans$query) ) # name isn't in a local zone.
{
NOTICE([$note=External_Name,
$msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
$conn=c,
$identifier=cat(a,ans$query)]);
NOTICE(Notice::Info($note=External_Name,
$msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
$conn=c,
$identifier=cat(a,ans$query)));
}
}

42
scripts/policy/protocols/ftp/detect-bruteforcing.zeek
View file

@ -27,26 +27,26 @@ export {
event zeek_init()
{
local r1: SumStats::Reducer = [$stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2)];
SumStats::create([$name="ftp-detect-bruteforcing",
$epoch=bruteforce_measurement_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ftp.failed_auth"]$num+0.0;
},
$threshold=bruteforce_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ftp.failed_auth"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE([$note=FTP::Bruteforcing,
$src=key$host,
$msg=message,
$identifier=cat(key$host)]);
}]);
local r1 = SumStats::Reducer($stream="ftp.failed_auth", $apply=set(SumStats::UNIQUE), $unique_max=double_to_count(bruteforce_threshold+2));
SumStats::create(SumStats::SumStat($name="ftp-detect-bruteforcing",
$epoch=bruteforce_measurement_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ftp.failed_auth"]$num+0.0;
},
$threshold=bruteforce_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ftp.failed_auth"];
local dur = duration_to_mins_secs(r$end-r$begin);
local plural = r$unique>1 ? "s" : "";
local message = fmt("%s had %d failed logins on %d FTP server%s in %s", key$host, r$num, r$unique, plural, dur);
NOTICE(Notice::Info($note=FTP::Bruteforcing,
$src=key$host,
$msg=message,
$identifier=cat(key$host)));
}));
}
event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
@ -55,6 +55,6 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool)
if ( cmd == "USER" || cmd == "PASS" )
{
if ( FTP::parse_ftp_reply_code(code)$x == 5 )
SumStats::observe("ftp.failed_auth", [$host=c$id$orig_h], [$str=cat(c$id$resp_h)]);
SumStats::observe("ftp.failed_auth", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=cat(c$id$resp_h)));
}
}

6
scripts/policy/protocols/ftp/detect.zeek
View file

@ -22,8 +22,8 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
c$ftp$cmdarg$cmd == "SITE" &&
/[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg )
{
NOTICE([$note=Site_Exec_Success, $conn=c,
$msg=fmt("FTP command: %s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg),
$identifier=cat(c$id$orig_h, c$id$resp_h, "SITE EXEC")]);
NOTICE(Notice::Info($note=Site_Exec_Success, $conn=c,
$msg=fmt("FTP command: %s %s", c$ftp$cmdarg$cmd, c$ftp$cmdarg$arg),
$identifier=cat(c$id$orig_h, c$id$resp_h, "SITE EXEC")));
}
}

2
scripts/policy/protocols/ftp/software.zeek
View file

@ -23,6 +23,6 @@ event ftp_request(c: connection, command: string, arg: string) &priority=4
{
if ( command == "CLNT" )
{
Software::found(c$id, [$unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT]);
Software::found(c$id, Software::Info($unparsed_version=arg, $host=c$id$orig_h, $software_type=CLIENT));
}
}

32
scripts/policy/protocols/http/detect-sql-injection.zeek
View file

@ -72,7 +72,7 @@ event zeek_init() &priority=3
$num_samples=1
);
SumStats::create([
SumStats::create(SumStats::SumStat(
$name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
@ -86,16 +86,16 @@ event zeek_init() &priority=3
local r = result["http.sqli.attacker"];
local dst = to_addr(r$samples[0]$str);
local uid = r$samples[0]$uid;
NOTICE([$note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$uid=uid,
$src=key$host,
$dst=dst,
$identifier=cat(key$host)]);
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$uid=uid,
$src=key$host,
$dst=dst,
$identifier=cat(key$host)));
}
]);
));
SumStats::create([
SumStats::create(SumStats::SumStat(
$name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
@ -109,14 +109,14 @@ event zeek_init() &priority=3
local r = result["http.sqli.victim"];
local src = to_addr(r$samples[0]$str);
local uid = r$samples[0]$uid;
NOTICE([$note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$uid=uid,
$src=src,
$dst=key$host,
$identifier=cat(key$host)]);
NOTICE(Notice::Info($note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$uid=uid,
$src=src,
$dst=key$host,
$identifier=cat(key$host)));
}
]);
));
}
event http_request(c: connection, method: string, original_URI: string,

76
scripts/policy/protocols/http/detect-sqli.zeek
View file

@ -87,43 +87,43 @@ event zeek_init() &priority=3
# Add filters to the metrics so that the metrics framework knows how to
# determine when it looks like an actual attack and how to respond when
# thresholds are crossed.
local r1: SumStats::Reducer = [$stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
SumStats::create([$name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.attacker"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.attacker"];
NOTICE([$note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)]);
}]);
local r1 = SumStats::Reducer($stream="http.sqli.attacker", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-attackers",
$epoch=sqli_requests_interval,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.attacker"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.attacker"];
NOTICE(Notice::Info($note=SQL_Injection_Attacker,
$msg="An SQL injection attacker was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
local r2: SumStats::Reducer = [$stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples];
SumStats::create([$name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.victim"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.victim"];
NOTICE([$note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)]);
}]);
local r2 = SumStats::Reducer($stream="http.sqli.victim", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=collect_SQLi_samples);
SumStats::create(SumStats::SumStat($name="detect-sqli-victims",
$epoch=sqli_requests_interval,
$reducers=set(r2),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["http.sqli.victim"]$sum;
},
$threshold=sqli_requests_threshold,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["http.sqli.victim"];
NOTICE(Notice::Info($note=SQL_Injection_Victim,
$msg="An SQL injection victim was discovered!",
$email_body_sections=vector(format_sqli_samples(r$samples)),
$src=key$host,
$identifier=cat(key$host)));
}));
}
event http_request(c: connection, method: string, original_URI: string,
@ -136,7 +136,7 @@ event http_request(c: connection, method: string, original_URI: string,
{
add c$http$tags[URI_SQLI];
SumStats::observe("http.sqli.attacker", [$host=c$id$orig_h], [$str=original_URI]);
SumStats::observe("http.sqli.victim", [$host=c$id$resp_h], [$str=original_URI]);
SumStats::observe("http.sqli.attacker", SumStats::Key($host=c$id$orig_h), SumStats::Observation($str=original_URI));
SumStats::observe("http.sqli.victim", SumStats::Key($host=c$id$resp_h), SumStats::Observation($str=original_URI));
}
}

2
scripts/policy/protocols/http/detect-webapps.zeek
View file

@ -29,7 +29,7 @@ event signature_match(state: signature_state, msg: string, data: string) &priori
local c = state$conn;
local si: Software::Info;
si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
si = Software::Info($name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION);
si$url = build_url_http(c$http);
Software::found(c$id, si);
}

4
scripts/policy/protocols/http/software-browser-plugins.zeek
View file

@ -61,7 +61,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
c$http$flash_version = cat("AdobeAIR-", c$http$flash_version);
}
Software::found(c$id, [$unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN]);
Software::found(c$id, Software::Info($unparsed_version=c$http$flash_version, $host=c$id$orig_h, $software_type=BROWSER_PLUGIN));
}
}
@ -81,7 +81,7 @@ event log_http(rec: Info)
local plugins = split_string(sw, /[[:blank:]]*;[[:blank:]]*/);
for ( i in plugins )
Software::found(rec$id, [$unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN]);
Software::found(rec$id, Software::Info($unparsed_version=plugins[i], $host=rec$id$orig_h, $software_type=BROWSER_PLUGIN));
}
}
}

8
scripts/policy/protocols/http/software.zeek
View file

@ -23,18 +23,18 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
if ( is_orig )
{
if ( name == "USER-AGENT" && ignored_user_agents !in value )
Software::found(c$id, [$unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$orig_h, $software_type=BROWSER));
}
else
{
if ( name == "SERVER" )
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER));
else if ( name == "X-POWERED-BY" )
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER));
else if ( name == "MICROSOFTSHAREPOINTTEAMSERVICES" )
{
value = cat("SharePoint/", value);
Software::found(c$id, [$unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER]);
Software::found(c$id, Software::Info($unparsed_version=value, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=APPSERVER));
}
}
}

6
scripts/policy/protocols/modbus/known-masters-slaves.zeek
View file

@ -37,7 +37,7 @@ export {
event zeek_init() &priority=5
{
Log::create_stream(Known::MODBUS_LOG, [$columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus]);
Log::create_stream(Known::MODBUS_LOG, Log::Stream($columns=ModbusInfo, $ev=log_known_modbus, $path="known_modbus", $policy=log_policy_modbus));
}
event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
@ -48,13 +48,13 @@ event modbus_message(c: connection, headers: ModbusHeaders, is_orig: bool)
if ( [master, MODBUS_MASTER] !in modbus_nodes )
{
add modbus_nodes[master, MODBUS_MASTER];
Log::write(MODBUS_LOG, [$ts=network_time(), $host=master, $device_type=MODBUS_MASTER]);
Log::write(MODBUS_LOG, ModbusInfo($ts=network_time(), $host=master, $device_type=MODBUS_MASTER));
}
if ( [slave, MODBUS_SLAVE] !in modbus_nodes )
{
add modbus_nodes[slave, MODBUS_SLAVE];
Log::write(MODBUS_LOG, [$ts=network_time(), $host=slave, $device_type=MODBUS_SLAVE]);
Log::write(MODBUS_LOG, ModbusInfo($ts=network_time(), $host=slave, $device_type=MODBUS_SLAVE));
}
}

8
scripts/policy/protocols/modbus/track-memmap.zeek
View file

@ -56,7 +56,7 @@ redef record Modbus::Info += {
event zeek_init() &priority=5
{
Log::create_stream(Modbus::REGISTER_CHANGE_LOG, [$columns=MemmapInfo, $path="modbus_register_change", $policy=log_policy_register_change]);
Log::create_stream(Modbus::REGISTER_CHANGE_LOG, Log::Stream($columns=MemmapInfo, $path="modbus_register_change", $policy=log_policy_register_change));
}
event modbus_read_holding_registers_request(c: connection, headers: ModbusHeaders, start_address: count, quantity: count)
@ -92,7 +92,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
}
else
{
local tmp_reg: RegisterValue = [$last_set=network_time(), $value=registers[i]];
local tmp_reg = RegisterValue($last_set=network_time(), $value=registers[i]);
slave_regs[c$modbus$track_address] = tmp_reg;
}
@ -102,7 +102,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
event Modbus::changed_register(c: connection, register: count, old_val: count, new_val: count, delta: interval)
{
local rec: MemmapInfo = [$ts=network_time(), $uid=c$uid, $id=c$id,
$register=register, $old_val=old_val, $new_val=new_val, $delta=delta];
local rec = MemmapInfo($ts=network_time(), $uid=c$uid, $id=c$id,
$register=register, $old_val=old_val, $new_val=new_val, $delta=delta);
Log::write(REGISTER_CHANGE_LOG, rec);
}

2
scripts/policy/protocols/mysql/software.zeek
View file

@ -16,5 +16,5 @@ event mysql_server_version(c: connection, ver: string)
if ( ver == "" )
return;
Software::found(c$id, [$unparsed_version=ver, $host=c$id$resp_h, $software_type=SERVER]);
Software::found(c$id, Software::Info($unparsed_version=ver, $host=c$id$resp_h, $software_type=SERVER));
}

2
scripts/policy/protocols/smb/log-cmds.zeek
View file

@ -29,7 +29,7 @@ const deferred_logging_cmds: set[string] = {
event zeek_init() &priority=5
{
Log::create_stream(SMB::CMD_LOG, [$columns=SMB::CmdInfo, $path="smb_cmd", $policy=log_policy]);
Log::create_stream(SMB::CMD_LOG, Log::Stream($columns=SMB::CmdInfo, $path="smb_cmd", $policy=log_policy));
}
event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5

4
scripts/policy/protocols/smtp/blocklists.zeek
View file

@ -56,8 +56,8 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
message = fmt("%s is on an SMTP block list", c$id$orig_h);
}
NOTICE([$note=note, $conn=c, $msg=message, $sub=msg,
$identifier=cat(c$id$orig_h)]);
NOTICE(Notice::Info($note=note, $conn=c, $msg=message, $sub=msg,
$identifier=cat(c$id$orig_h)));
}
}
}

14
scripts/policy/protocols/smtp/detect-suspicious-orig.zeek
View file

@ -29,10 +29,10 @@ event log_smtp(rec: Info)
loc$country_code in suspicious_origination_countries) ||
ip in suspicious_origination_networks )
{
NOTICE([$note=Suspicious_Origination,
$msg=fmt("An email originated from %s (%s).",
loc?$country_code ? loc$country_code : "", ip),
$id=rec$id]);
NOTICE(Notice::Info($note=Suspicious_Origination,
$msg=fmt("An email originated from %s (%s).",
loc?$country_code ? loc$country_code : "", ip),
$id=rec$id));
}
}
if ( rec?$path )
@ -44,9 +44,9 @@ event log_smtp(rec: Info)
loc$country_code in suspicious_origination_countries) ||
ip in suspicious_origination_networks )
{
NOTICE([$note=Suspicious_Origination,
$msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip),
$id=rec$id]);
NOTICE(Notice::Info($note=Suspicious_Origination,
$msg=fmt("Based up Received headers, email originated from %s (%s).", loc?$country_code ? loc$country_code : "", ip),
$id=rec$id));
}
}
}

2
scripts/policy/protocols/smtp/software.zeek
View file

@ -75,7 +75,7 @@ event log_smtp(rec: Info)
if ( addr_matches_host(rec$id$orig_h,
detect_clients_in_messages_from) )
{
Software::found(rec$id, [$unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type]);
Software::found(rec$id, Software::Info($unparsed_version=rec$user_agent, $host=client_ip, $software_type=s_type));
}
}
}

61
scripts/policy/protocols/ssh/detect-bruteforcing.zeek
View file

@ -41,41 +41,42 @@ export {
event zeek_init()
{
local r1: SumStats::Reducer = [$stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5];
SumStats::create([$name="detect-ssh-bruteforcing",
$epoch=guessing_timeout,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ssh.login.failure"]$sum;
},
$threshold=password_guesses_limit,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ssh.login.failure"];
local sub_msg = fmt("Sampled servers: ");
local samples = r$samples;
for ( i in samples )
{
if ( samples[i]?$str )
sub_msg = fmt("%s%s %s", sub_msg, i==0 ? "":",", samples[i]$str);
}
# Generate the notice.
NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
$sub=sub_msg,
$src=key$host,
$identifier=cat(key$host)]);
}]);
local r1 = SumStats::Reducer($stream="ssh.login.failure", $apply=set(SumStats::SUM, SumStats::SAMPLE), $num_samples=5);
SumStats::create(SumStats::SumStat(
$name="detect-ssh-bruteforcing",
$epoch=guessing_timeout,
$reducers=set(r1),
$threshold_val(key: SumStats::Key, result: SumStats::Result) =
{
return result["ssh.login.failure"]$sum;
},
$threshold=password_guesses_limit,
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
local r = result["ssh.login.failure"];
local sub_msg = fmt("Sampled servers: ");
local samples = r$samples;
for ( i in samples )
{
if ( samples[i]?$str )
sub_msg = fmt("%s%s %s", sub_msg, i==0 ? "":",", samples[i]$str);
}
# Generate the notice.
NOTICE(Notice::Info($note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
$sub=sub_msg,
$src=key$host,
$identifier=cat(key$host)));
}));
}
event ssh_auth_successful(c: connection, auth_method_none: bool)
{
local id = c$id;
Intel::seen([$host=id$orig_h,
$conn=c,
$where=SSH::SUCCESSFUL_LOGIN]);
Intel::seen(Intel::Seen($host=id$orig_h,
$conn=c,
$where=SSH::SUCCESSFUL_LOGIN));
}
event ssh_auth_failed(c: connection)
@ -86,5 +87,5 @@ event ssh_auth_failed(c: connection)
# be ignored.
if ( ! (id$orig_h in ignore_guessers &&
id$resp_h in ignore_guessers[id$orig_h]) )
SumStats::observe("ssh.login.failure", [$host=id$orig_h], [$str=cat(id$resp_h)]);
SumStats::observe("ssh.login.failure", SumStats::Key($host=id$orig_h), SumStats::Observation($str=cat(id$resp_h)));
}

10
scripts/policy/protocols/ssh/geo-data.zeek
View file

@ -40,11 +40,11 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
{
NOTICE([$note=Watched_Country_Login,
$conn=c,
$msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from",
c$ssh$remote_location$country_code)]);
NOTICE(Notice::Info($note=Watched_Country_Login,
$conn=c,
$msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from",
c$ssh$remote_location$country_code)));
}
}

10
scripts/policy/protocols/ssh/interesting-hostnames.zeek
View file

@ -33,11 +33,11 @@ function check_ssh_hostname(id: conn_id, uid: string, host: addr)
{
if ( interesting_hostnames in hostname )
{
NOTICE([$note=Interesting_Hostname_Login,
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
Site::is_local_addr(host) ? "local" : "remote",
host == id$orig_h ? "client" : "server"),
$sub=hostname, $id=id, $uid=uid]);
NOTICE(Notice::Info($note=Interesting_Hostname_Login,
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
Site::is_local_addr(host) ? "local" : "remote",
host == id$orig_h ? "client" : "server"),
$sub=hostname, $id=id, $uid=uid));
}
}
}

4
scripts/policy/protocols/ssh/software.zeek
View file

@ -18,12 +18,12 @@ event ssh_client_version(c: connection, version: string) &priority=4
{
# Get rid of the protocol information when passing to the software framework.
local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, "");
Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT]);
Software::found(c$id, Software::Info($unparsed_version=cleaned_version, $host=c$id$orig_h, $software_type=CLIENT));
}
event ssh_server_version(c: connection, version: string) &priority=4
{
# Get rid of the protocol information when passing to the software framework.
local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, "");
Software::found(c$id, [$unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER]);
Software::found(c$id, Software::Info($unparsed_version=cleaned_version, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=SERVER));
}

2
scripts/policy/protocols/ssl/decryption.zeek
View file

@ -74,7 +74,7 @@ event zeek_init()
if ( keylog_file != "" )
{
Input::add_table([$name=tls_decrypt_stream_name, $source=keylog_file, $destination=secrets, $idx=SecretsIdx, $val=SecretsVal, $want_record=F]);
Input::add_table(Input::TableDescription($name=tls_decrypt_stream_name, $source=keylog_file, $destination=secrets, $idx=SecretsIdx, $val=SecretsVal, $want_record=F));
Input::remove(tls_decrypt_stream_name);
}
}

30
scripts/policy/protocols/ssl/expiring-certs.zeek
View file

@ -47,23 +47,23 @@ event ssl_established(c: connection) &priority=3
local hash = c$ssl$cert_chain[0]$sha1;
if ( cert$not_valid_before > network_time() )
NOTICE([$note=Certificate_Not_Valid_Yet,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid]);
NOTICE(Notice::Info($note=Certificate_Not_Valid_Yet,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s isn't valid until %T", cert$subject, cert$not_valid_before),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid));
else if ( cert$not_valid_after < network_time() )
NOTICE([$note=Certificate_Expired,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid]);
NOTICE(Notice::Info($note=Certificate_Expired,
$conn=c, $suppress_for=1day,
$msg=fmt("Certificate %s expired at %T", cert$subject, cert$not_valid_after),
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid));
else if ( cert$not_valid_after - notify_when_cert_expiring_in < network_time() )
NOTICE([$note=Certificate_Expires_Soon,
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid]);
NOTICE(Notice::Info($note=Certificate_Expires_Soon,
$msg=fmt("Certificate %s is going to expire at %T", cert$subject, cert$not_valid_after),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash),
$fuid=fuid));
}

116
scripts/policy/protocols/ssl/heartbleed.zeek
View file

@ -91,30 +91,30 @@ event ssl_heartbeat(c: connection, is_client: bool, length: count, heartbeat_typ
if ( payload_length > checklength )
{
c$ssl$heartbleed_detected = T;
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length),
$conn=c,
$identifier=cat(c$uid, length, payload_length)
]);
NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length),
$conn=c,
$identifier=cat(c$uid, length, payload_length)
));
}
else if ( is_client )
{
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$n=length,
$identifier=cat(c$uid, length)
]);
NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$n=length,
$identifier=cat(c$uid, length)
));
}
}
if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
{
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack_Success,
$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$identifier=c$uid
]);
NOTICE(Notice::Info($note=Heartbleed::SSL_Heartbeat_Attack_Success,
$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$identifier=c$uid
));
}
}
@ -128,43 +128,43 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
local duration = network_time() - c$start_time;
if ( c$ssl$enc_appdata_packages == 0 )
NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_client: %d", length, is_client),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
));
else if ( duration < 1min )
NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_client: %d, time: %s", length, is_client, duration),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
));
if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
NOTICE([$note=SSL_Heartbeat_Many_Requests,
$msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Many_Requests,
$msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
));
if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
NOTICE([$note=SSL_Heartbeat_Many_Requests,
$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Many_Requests,
$msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c,
$n=(c$ssl$responder_heartbeats-c$ssl$originator_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
));
if ( is_client && length < 19 )
NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
));
# Examine request lengths based on used cipher...
local min_length_choice: vector of min_length;
@ -179,12 +179,12 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
{
if ( length < min_length_choice[i]$min_length )
{
NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
));
}
break;
@ -207,12 +207,12 @@ event ssl_encrypted_heartbeat(c: connection, is_client: bool, length: count)
{
if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
{
NOTICE([$note=SSL_Heartbeat_Attack_Success,
$msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f",
c$ssl$last_originator_heartbeat_request_size, length, duration),
$conn=c,
$identifier=c$uid # only throw once per connection
]);
NOTICE(Notice::Info($note=SSL_Heartbeat_Attack_Success,
$msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f",
c$ssl$last_originator_heartbeat_request_size, length, duration),
$conn=c,
$identifier=c$uid # only throw once per connection
));
}
else if ( ! c$ssl?$last_originator_heartbeat_request_size )

2
scripts/policy/protocols/ssl/known-certs.zeek
View file

@ -197,5 +197,5 @@ event ssl_established(c: connection) &priority=3
event zeek_init() &priority=5
{
Log::create_stream(Known::CERTS_LOG, [$columns=CertsInfo, $ev=log_known_certs, $path="known_certs", $policy=log_policy_certs]);
Log::create_stream(Known::CERTS_LOG, Log::Stream($columns=CertsInfo, $ev=log_known_certs, $path="known_certs", $policy=log_policy_certs));
}

8
scripts/policy/protocols/ssl/validate-certs.zeek
View file

@ -177,9 +177,9 @@ hook ssl_finishing(c: connection) &priority=20
if ( result$result_string != "ok" )
{
local message = fmt("SSL certificate validation failed with (%s)", c$ssl$validation_status);
NOTICE([$note=Invalid_Server_Cert, $msg=message,
$sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
$fuid=c$ssl$cert_chain[0]$fuid,
$identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)]);
NOTICE(Notice::Info($note=Invalid_Server_Cert, $msg=message,
$sub=c$ssl$cert_chain[0]$x509$certificate$subject, $conn=c,
$fuid=c$ssl$cert_chain[0]$fuid,
$identifier=cat(c$id$resp_h,c$id$resp_p,hash,c$ssl$validation_code)));
}
}

6
scripts/policy/protocols/ssl/validate-ocsp.zeek
View file

@ -68,8 +68,8 @@ event ssl_established(c: connection) &priority=3
if( result$result_string != "good" )
{
local message = fmt("OCSP response validation failed with (%s)", result$result_string);
NOTICE([$note=Invalid_Ocsp_Response, $msg=message,
$sub=c$ssl$subject, $conn=c,
$identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)]);
NOTICE(Notice::Info($note=Invalid_Ocsp_Response, $msg=message,
$sub=c$ssl$subject, $conn=c,
$identifier=cat(c$id$resp_h,c$id$resp_p,c$ssl$ocsp_status)));
}
}

56
scripts/policy/protocols/ssl/weak-keys.zeek
View file

@ -68,13 +68,13 @@ event ssl_established(c: connection) &priority=3
local key_length = cert$key_length;
if ( key_length < notify_minimal_key_length )
NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak certificate with %d bit key", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash, key_length),
$sub=fmt("Subject: %s", cert$subject),
$file_desc=fmt("Fingerprint: %s", hash)
]);
NOTICE(Notice::Info($note=Weak_Key,
$msg=fmt("Host uses weak certificate with %d bit key", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, hash, key_length),
$sub=fmt("Subject: %s", cert$subject),
$file_desc=fmt("Fingerprint: %s", hash)
));
}
# Check for old SSL versions and weak connection keys
@ -87,19 +87,19 @@ event ssl_server_hello(c: connection, version: count, record_version: count, pos
{
local minimum_string = version_strings[tls_minimum_version];
local host_string = version_strings[version];
NOTICE([$note=Old_Version,
$msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
NOTICE(Notice::Info($note=Old_Version,
$msg=fmt("Host uses protocol version %s which is lower than the safe minimum %s", host_string, minimum_string),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
));
}
if ( unsafe_ciphers_regex in c$ssl$cipher )
NOTICE([$note=Weak_Cipher,
$msg=fmt("Host established connection using unsafe cipher suite %s", c$ssl$cipher),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cipher)
]);
NOTICE(Notice::Info($note=Weak_Cipher,
$msg=fmt("Host established connection using unsafe cipher suite %s", c$ssl$cipher),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, c$ssl$cipher)
));
}
event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &priority=3
@ -110,11 +110,11 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
local key_length = |p| * 8; # length of the used prime number in bits
if ( key_length < notify_minimal_key_length )
NOTICE([$note=Weak_Key,
$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, key_length)
]);
NOTICE(Notice::Info($note=Weak_Key,
$msg=fmt("Host uses weak DH parameters with %d key bits", key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p, key_length)
));
if ( notify_dh_length_shorter_cert_length &&
c?$ssl && c$ssl?$cert_chain && |c$ssl$cert_chain| > 0 && c$ssl$cert_chain[0]?$x509 &&
@ -124,11 +124,11 @@ event ssl_dh_server_params(c: connection, p: string, q: string, Ys: string) &pri
{
if ( c$ssl$cert_chain[0]$x509$certificate?$key_length &&
c$ssl$cert_chain[0]$x509$certificate$key_length > key_length )
NOTICE([$note=Weak_Key,
$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
NOTICE(Notice::Info($note=Weak_Key,
$msg=fmt("DH key length of %d bits is smaller certificate key length of %d bits",
key_length, c$ssl$cert_chain[0]$x509$certificate$key_length),
$conn=c, $suppress_for=1day,
$identifier=cat(c$id$resp_h, c$id$resp_p)
));
}
}