mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Correctly handle DNS lookups for software version ranges.
This commit is contained in:
Seth Hall
parent
ff3ec04f32
commit
e974950c6d
2 changed files with 20 additions and 21 deletions
|
|
@ -21,7 +21,9 @@ export {
|
||||||
min: Software::Version &optional;
|
min: Software::Version &optional;
|
||||||
## The maximum vulnerable version. This field is deliberately
|
## The maximum vulnerable version. This field is deliberately
|
||||||
## not optional because a maximum vulnerable version must
|
## not optional because a maximum vulnerable version must
|
||||||
## always be defined.
|
## always be defined. This assumption may become incorrent
|
||||||
|
## if all future versions of some software are to be considered
|
||||||
|
## vulnerable. :)
|
||||||
max: Software::Version;
|
max: Software::Version;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -36,13 +38,15 @@ export {
|
||||||
## This is a table of software versions indexed by the name of the
|
## This is a table of software versions indexed by the name of the
|
||||||
## software and a set of version ranges that are declared to be
|
## software and a set of version ranges that are declared to be
|
||||||
## vulnerable for that software.
|
## vulnerable for that software.
|
||||||
const vulnerable_versions: table[string] of set[VulnerableVersionRange] &redef;
|
const vulnerable_versions: table[string] of set[VulnerableVersionRange] = table() &redef;
|
||||||
}
|
}
|
||||||
|
|
||||||
global internal_vulnerable_versions: table[string] of set[VulnerableVersionRange] = table();
|
global internal_vulnerable_versions: table[string] of set[VulnerableVersionRange] = table();
|
||||||
|
|
||||||
event Control::configuration_update()
|
event Control::configuration_update()
|
||||||
{
|
{
|
||||||
|
internal_vulnerable_versions = table();
|
||||||
|
|
||||||
# Copy the const vulnerable versions into the global modifiable one.
|
# Copy the const vulnerable versions into the global modifiable one.
|
||||||
for ( sw in vulnerable_versions )
|
for ( sw in vulnerable_versions )
|
||||||
internal_vulnerable_versions[sw] = vulnerable_versions[sw];
|
internal_vulnerable_versions[sw] = vulnerable_versions[sw];
|
||||||
|
|
@ -90,28 +94,30 @@ event grab_vulnerable_versions(i: count)
|
||||||
when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) )
|
when ( local result = lookup_hostname_txt(cat(i,".",vulnerable_versions_update_endpoint)) )
|
||||||
{
|
{
|
||||||
local parts = split1(result, /\x09/);
|
local parts = split1(result, /\x09/);
|
||||||
if ( |parts| != 2 )
|
if ( |parts| != 2 ) #failure or end of list!
|
||||||
return; #failure!
|
{
|
||||||
|
schedule vulnerable_versions_update_interval { grab_vulnerable_versions(1) };
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
local sw = parts[1];
|
local sw = parts[1];
|
||||||
local vvr = decode_vulnerable_version_range(parts[2]);
|
local vvr = decode_vulnerable_version_range(parts[2]);
|
||||||
|
if ( sw !in internal_vulnerable_versions )
|
||||||
|
internal_vulnerable_versions[sw] = set();
|
||||||
add internal_vulnerable_versions[sw][vvr];
|
add internal_vulnerable_versions[sw][vvr];
|
||||||
|
|
||||||
# TODO: deal with the lookup timing out or otherwise failing.
|
|
||||||
# maybe keep a "last lookup" time with an event scheduled to
|
|
||||||
# make sure that nothing's failing occassionally.
|
|
||||||
if ( sw == "" )
|
|
||||||
schedule vulnerable_versions_update_interval { grab_vulnerable_versions(1) };
|
|
||||||
else
|
|
||||||
event grab_vulnerable_versions(i+1);
|
event grab_vulnerable_versions(i+1);
|
||||||
}
|
}
|
||||||
|
timeout 5secs
|
||||||
|
{
|
||||||
|
# In case a lookup fails, try starting over in one minute.
|
||||||
|
schedule 1min { grab_vulnerable_versions(1) };
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
event bro_init()
|
event bro_init()
|
||||||
{
|
{
|
||||||
event grab_vulnerable_versions(1);
|
event grab_vulnerable_versions(1);
|
||||||
|
|
||||||
#print decode_vulnerable_version_range("min=6.1 max=6.9.3.a");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
event log_software(rec: Info)
|
event log_software(rec: Info)
|
||||||
|
|
|
||||||
|
|
@ -14,13 +14,6 @@
|
||||||
# information.
|
# information.
|
||||||
@load frameworks/software/vulnerable
|
@load frameworks/software/vulnerable
|
||||||
|
|
||||||
# Example vulnerable software. This needs to be updated and maintained over
|
|
||||||
# time as new vulnerabilities are discovered.
|
|
||||||
redef Software::vulnerable_versions += {
|
|
||||||
["Flash"] = [$major=10,$minor=2,$minor2=153,$addl="1"],
|
|
||||||
["Java"] = [$major=1,$minor=6,$minor2=0,$addl="22"],
|
|
||||||
};
|
|
||||||
|
|
||||||
# Detect software changing (e.g. attacker installing hacked SSHD).
|
# Detect software changing (e.g. attacker installing hacked SSHD).
|
||||||
@load frameworks/software/version-changes
|
@load frameworks/software/version-changes
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue