Merge remote-tracking branch 'origin/master' into topic/dnthayer/doc-improvements

scripts/base/protocols/conn/main.bro

@@ -47,7 +47,7 @@ export {
 		## S2           Connection established and close attempt by originator seen (but no reply from responder).
 		## S3           Connection established and close attempt by responder seen (but no reply from originator).
 		## RSTO         Connection established, originator aborted (sent a RST).
-		## RSTR         Established, responder aborted.
+		## RSTR         Responder sent a RST.
 		## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
 		## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
 		## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).

scripts/base/protocols/dns/consts.bro

@@ -26,6 +26,7 @@ export {
 		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
 		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
 		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
+		[257] = "CAA",
 		[32768] = "TA", [32769] = "DLV",
 		[ANY] = "*",
 	} &default = function(n: count): string { return fmt("query-%d", n); };

scripts/base/protocols/ftp/main.bro

@@ -213,7 +213,7 @@ event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &prior
 		#       on a different file could be checked, but the file size will
 		#       be overwritten by the server response to the RETR command
 		#       if that's given as well which would be more correct.
-		c$ftp$file_size = extract_count(msg);
+		c$ftp$file_size = extract_count(msg, F);
 		}
 
 	# PASV and EPSV processing

scripts/base/protocols/http/main.bro

@@ -41,6 +41,8 @@ export {
 		## misspelled like the standard declares, but the name used here
 		## is "referrer" spelled correctly.
 		referrer:                string    &log &optional;
+		## Value of the version portion of the request.
+		version:		string	   &log &optional;
 		## Value of the User-Agent header from the client.
 		user_agent:              string    &log &optional;
 		## Actual uncompressed content size of the data transferred from
@@ -222,6 +224,8 @@ event http_reply(c: connection, version: string, code: count, reason: string) &p
 
 	c$http$status_code = code;
 	c$http$status_msg = reason;
+	c$http$version = version;
+
 	if ( code_in_range(code, 100, 199) )
 		{
 		c$http$info_code = code;

scripts/base/protocols/imap/README

@@ -0,0 +1,5 @@
+Support for the Internet Message Access Protocol (IMAP).
+
+Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+mails from IMAP sessions, only X509 certificates.

scripts/base/protocols/imap/__load__.bro

@@ -0,0 +1,2 @@
+@load ./main
+

scripts/base/protocols/imap/main.bro

@@ -0,0 +1,11 @@
+
+module IMAP;
+
+const ports = { 143/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
+	}
+

scripts/base/protocols/rfb/README

@@ -0,0 +1 @@
+Support for Remote FrameBuffer analysis.  This includes all VNC servers.

scripts/base/protocols/rfb/__load__.bro

@@ -0,0 +1,3 @@
+# Generated by binpac_quickstart
+@load ./main
+@load-sigs ./dpd.sig

scripts/base/protocols/rfb/dpd.sig

@@ -0,0 +1,12 @@
+signature dpd_rfb_server {
+	ip-proto == tcp
+	payload /^RFB/
+	requires-reverse-signature dpd_rfb_client
+	enable "rfb"
+}
+
+signature dpd_rfb_client {
+	ip-proto == tcp
+	payload /^RFB/
+	tcp-state originator
+}

scripts/base/protocols/rfb/main.bro

@@ -0,0 +1,164 @@
+module RFB;
+
+export {
+	redef enum Log::ID += { LOG };
+
+	type Info: record {
+		## Timestamp for when the event happened.
+		ts:     time    &log;
+		## Unique ID for the connection.
+		uid:    string  &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:     conn_id &log;
+
+		## Major version of the client.
+		client_major_version: string &log &optional;
+		## Minor version of the client.
+		client_minor_version: string &log &optional;
+		## Major version of the server.
+		server_major_version: string &log &optional;
+		## Major version of the client.
+		server_minor_version: string &log &optional;
+
+		## Identifier of authentication method used.
+		authentication_method: string &log &optional;
+		## Whether or not authentication was succesful.
+		auth: bool &log &optional;
+
+		## Whether the client has an exclusive or a shared session.
+		share_flag: bool &log &optional;
+		## Name of the screen that is being shared.
+		desktop_name: string &log &optional;
+		## Width of the screen that is being shared.
+		width: count &log &optional;
+		## Height of the screen that is being shared.
+		height: count &log &optional;
+
+		## Internally used value to determine if this connection
+		## has already been logged.
+		done: bool  &default=F;
+	};
+
+	global log_rfb: event(rec: Info);
+}
+
+function friendly_auth_name(auth: count): string
+	{
+	switch (auth) {
+		case 0:
+			return "Invalid";
+		case 1:
+			return "None";
+		case 2:
+			return "VNC";
+		case 16:
+			return "Tight";
+		case 17:
+			return "Ultra";
+		case 18:
+			return "TLS";
+		case 19:
+			return "VeNCrypt";
+		case 20:
+			return "GTK-VNC SASL";
+		case 21:
+			return "MD5 hash authentication";
+		case 22:
+			return "Colin Dean xvp";
+		case 30:
+			return "Apple Remote Desktop";
+	}
+	return "RealVNC";
+}
+
+redef record connection += {
+	rfb: Info &optional;
+};
+
+event bro_init() &priority=5
+	{
+	Log::create_stream(RFB::LOG, [$columns=Info, $ev=log_rfb, $path="rfb"]);
+	}
+
+function write_log(c:connection)
+	{
+	local state = c$rfb;
+	if ( state$done )
+		{
+		return;
+		}
+
+	Log::write(RFB::LOG, c$rfb);
+	c$rfb$done = T;
+	}
+
+function set_session(c: connection)
+	{
+	if ( ! c?$rfb )
+		{
+		local info: Info;
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+
+		c$rfb = info;
+		}
+	}
+
+event rfb_event(c: connection) &priority=5
+	{
+	set_session(c);
+	}
+
+event rfb_client_version(c: connection, major_version: string, minor_version: string) &priority=5
+	{
+	set_session(c);
+	c$rfb$client_major_version = major_version;
+	c$rfb$client_minor_version = minor_version;
+	}
+
+event rfb_server_version(c: connection, major_version: string, minor_version: string) &priority=5
+	{
+	set_session(c);
+	c$rfb$server_major_version = major_version;
+	c$rfb$server_minor_version = minor_version;
+	}
+
+event rfb_authentication_type(c: connection, authtype: count) &priority=5
+	{
+	set_session(c);
+
+	c$rfb$authentication_method = friendly_auth_name(authtype);
+	}
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=5
+	{
+	set_session(c);
+
+	c$rfb$desktop_name = name;
+	c$rfb$width = width;
+	c$rfb$height = height;
+	}
+
+event rfb_server_parameters(c: connection, name: string, width: count, height: count) &priority=-5
+	{
+	write_log(c);
+	}
+
+event rfb_auth_result(c: connection, result: bool) &priority=5
+	{
+	c$rfb$auth = !result;
+	}
+
+event rfb_share_flag(c: connection, flag: bool) &priority=5
+	{
+	c$rfb$share_flag = flag;
+	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$rfb )
+		{
+		write_log(c);
+		}
+	}

scripts/base/protocols/sip/main.bro

@@ -80,7 +80,7 @@ export {
 	## that the SIP analyzer will only accept methods consisting solely
 	## of letters ``[A-Za-z]``.
 	const sip_methods: set[string] = {
-		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS"
+		"REGISTER", "INVITE", "ACK", "CANCEL", "BYE", "OPTIONS", "NOTIFY", "SUBSCRIBE"
 	} &redef;
 
 	## Event that can be handled to access the SIP record as it is sent on
@@ -153,7 +153,7 @@ function flush_pending(c: connection)
 			# We don't use pending elements at index 0.
 			if ( r == 0 )
 				next;
-			
+
 			Log::write(SIP::LOG, c$sip_state$pending[r]);
 			}
 		}

scripts/base/protocols/ssh/main.bro

@@ -46,11 +46,10 @@ export {
 	## authentication success or failure when compression is enabled.
 	const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
 
-	## If true, we tell the event engine to not look at further data
-	## packets after the initial SSH handshake. Helps with performance
-	## (especially with large file transfers) but precludes some
-	## kinds of analyses. Defaults to T.
-	const skip_processing_after_detection = T &redef;
+	## If true, after detection detach the SSH analyzer from the connection
+	## to prevent continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	const disable_analyzer_after_detection = T &redef;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
@@ -70,6 +69,8 @@ redef record Info += {
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
+	## Analzyer ID
+	analyzer_id: count         &optional;
 };
 
 redef record connection += {
@@ -130,11 +131,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 
 	c$ssh$auth_success = T;
 
-	if ( skip_processing_after_detection)
-		{
-		skip_further_processing(c$id);
-		set_record_packets(c$id, F);
-		}
+	if ( disable_analyzer_after_detection )
+		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
 
 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@@ -179,7 +177,7 @@ function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Alg
 	# Usually these are the same, but if they're not, return the details
 	return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c);
 	}
-	
+
 event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities)
 	{
 	if ( !c?$ssh || ( c$ssh?$capabilities && c$ssh$capabilities$is_server == capabilities$is_server ) )
@@ -233,3 +231,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+	{
+		if ( atype == Analyzer::ANALYZER_SSH )
+		{
+		set_session(c);
+		c$ssh$analyzer_id = aid;
+		}
+	}

scripts/base/protocols/ssl/consts.bro

@@ -109,7 +109,7 @@ export {
 		[7] = "client_authz",
 		[8] = "server_authz",
 		[9] = "cert_type",
-		[10] = "elliptic_curves",
+		[10] = "elliptic_curves", # new name: supported_groups - draft-ietf-tls-negotiated-ff-dhe
 		[11] = "ec_point_formats",
 		[12] = "srp",
 		[13] = "signature_algorithms",
@@ -120,9 +120,10 @@ export {
 		[18] = "signed_certificate_timestamp",
 		[19] = "client_certificate_type",
 		[20] = "server_certificate_type",
-		[21] = "padding", # temporary till 2016-03-12
+		[21] = "padding",
 		[22] = "encrypt_then_mac",
 		[23] = "extended_master_secret",
+		[24] = "token_binding", # temporary till 2017-02-04 - draft-ietf-tokbind-negotiation
 		[35] = "SessionTicket TLS",
 		[40] = "extended_random",
 		[13172] = "next_protocol_negotiation",
@@ -165,7 +166,10 @@ export {
 		[26] = "brainpoolP256r1",
 		[27] = "brainpoolP384r1",
 		[28] = "brainpoolP512r1",
-		# draft-ietf-tls-negotiated-ff-dhe-05
+		# Temporary till 2017-03-01 - draft-ietf-tls-rfc4492bis
+		[29] = "ecdh_x25519",
+		[30] = "ecdh_x448",
+		# draft-ietf-tls-negotiated-ff-dhe-10
 		[256] = "ffdhe2048",
 		[257] = "ffdhe3072",
 		[258] = "ffdhe4096",