Merge remote-tracking branch 'origin/master' into topic/seth/smb

2025-10-11 02:58:20 +00:00 · 2016-05-20 14:28:39 -04:00 · 2016-05-20 14:28:39 -04:00 · e2fb7591f4
commit e2fb7591f4
parent eed26c3f5f 85213e6b55
296 changed files with 5297 additions and 2700 deletions
--- a/scripts/base/protocols/dns/consts.bro
+++ b/scripts/base/protocols/dns/consts.bro
@ -26,6 +26,7 @@ export {
 		[49] = "DHCID", [99] = "SPF", [100] = "DINFO", [101] = "UID",
 		[102] = "GID", [103] = "UNSPEC", [249] = "TKEY", [250] = "TSIG",
 		[251] = "IXFR", [252] = "AXFR", [253] = "MAILB", [254] = "MAILA",
+		[257] = "CAA",
 		[32768] = "TA", [32769] = "DLV",
 		[ANY] = "*",
 	} &default = function(n: count): string { return fmt("query-%d", n); };
--- a/scripts/base/protocols/dns/main.bro
+++ b/scripts/base/protocols/dns/main.bro
@ -52,7 +52,7 @@ export {
 		## The Recursion Available bit in a response message indicates
 		## that the name server supports recursive queries.
 		RA:            bool               &log &default=F;
-		## A reserved field that is currently supposed to be zero in all
+		## A reserved field that is usually zero in
 		## queries and responses.
 		Z:             count              &log &default=0;
 		## The set of resource descriptions in the query answer.
--- a/scripts/base/protocols/http/main.bro
+++ b/scripts/base/protocols/http/main.bro
@ -21,6 +21,7 @@ export {
 	## not.
 	const default_capture_password = F &redef;

+	## The record type which contains the fields of the HTTP log.
 	type Info: record {
 		## Timestamp for when the request happened.
 		ts:                      time      &log;
--- a/scripts/base/protocols/imap/README
+++ b/scripts/base/protocols/imap/README
@ -0,0 +1,5 @@
+Support for the Internet Message Access Protocol (IMAP).
+
+Note that currently the IMAP analyzer only supports analyzing IMAP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+mails from IMAP sessions, only X509 certificates.
--- a/scripts/base/protocols/imap/load.bro
+++ b/scripts/base/protocols/imap/load.bro
@ -0,0 +1,2 @@
+@load ./main
+
--- a/scripts/base/protocols/imap/main.bro
+++ b/scripts/base/protocols/imap/main.bro
@ -0,0 +1,11 @@
+
+module IMAP;
+
+const ports = { 143/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, ports);
+	}
+
--- a/scripts/base/protocols/rfb/main.bro
+++ b/scripts/base/protocols/rfb/main.bro
@ -3,6 +3,7 @@ module RFB;
 export {
 	redef enum Log::ID += { LOG };

+	## The record type which contains the fields of the RFB log.
 	type Info: record {
 		## Timestamp for when the event happened.
 		ts:     time    &log;
--- a/scripts/base/protocols/sip/main.bro
+++ b/scripts/base/protocols/sip/main.bro
@ -10,6 +10,7 @@ module SIP;
 export {
 	redef enum Log::ID += { LOG };

+	## The record type which contains the fields of the SIP log.
 	type Info: record {
 		## Timestamp for when the request happened.
 		ts:                      time              &log;
--- a/scripts/base/protocols/smtp/main.bro
+++ b/scripts/base/protocols/smtp/main.bro
@ -7,6 +7,7 @@ module SMTP;
 export {
 	redef enum Log::ID += { LOG };

+	## The record type which contains the fields of the SMTP log.
 	type Info: record {
 		## Time when the message was first seen.
 		ts:                time            &log;
--- a/scripts/base/protocols/socks/main.bro
+++ b/scripts/base/protocols/socks/main.bro
@ -6,6 +6,7 @@ module SOCKS;
 export {
 	redef enum Log::ID += { LOG };

+	## The record type which contains the fields of the SOCKS log.
 	type Info: record {
 		## Time when the proxy connection was first detected.
 		ts:          time            &log;
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@ -8,6 +8,7 @@ export {
 	## The SSH protocol logging stream identifier.
 	redef enum Log::ID += { LOG };

+	## The record type which contains the fields of the SSH log.
 	type Info: record {
 		## Time when the SSH connection began.
 		ts:              time         &log;
--- a/scripts/base/protocols/ssl/main.bro
+++ b/scripts/base/protocols/ssl/main.bro
@ -8,6 +8,7 @@ module SSL;
 export {
 	redef enum Log::ID += { LOG };

+	## The record type which contains the fields of the SSL log.
 	type Info: record {
 		## Time when the SSL connection was first detected.
 		ts:               time             &log;
--- a/scripts/base/protocols/syslog/main.bro
+++ b/scripts/base/protocols/syslog/main.bro
@ -7,7 +7,8 @@ module Syslog;

 export {
 	redef enum Log::ID += { LOG };
-	
+
+	## The record type which contains the fields of the syslog log.
 	type Info: record {
 		## Timestamp when the syslog message was seen.
 		ts:        time            &log;
--- a/scripts/base/protocols/xmpp/README
+++ b/scripts/base/protocols/xmpp/README
@ -0,0 +1,5 @@
+Support for the Extensible Messaging and Presence Protocol (XMPP).
+
+Note that currently the XMPP analyzer only supports analyzing XMPP sessions
+until they do or do not switch to TLS using StartTLS. Hence, we do not get
+actual chat information from XMPP sessions, only X509 certificates.
--- a/scripts/base/protocols/xmpp/load.bro
+++ b/scripts/base/protocols/xmpp/load.bro
@ -0,0 +1,3 @@
+@load ./main
+
+@load-sigs ./dpd.sig
--- a/scripts/base/protocols/xmpp/dpd.sig
+++ b/scripts/base/protocols/xmpp/dpd.sig
@ -0,0 +1,5 @@
+signature dpd_xmpp {
+	ip-proto == tcp
+	payload /^(<\?xml[^?>]*\?>)?[\n\r ]*<stream:stream [^>]*xmlns='jabber:/
+	enable "xmpp"
+}
--- a/scripts/base/protocols/xmpp/main.bro
+++ b/scripts/base/protocols/xmpp/main.bro
@ -0,0 +1,11 @@
+
+module XMPP;
+
+const ports = { 5222/tcp, 5269/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, ports);
+	}
+