From f13cf830eafde80a9b078b83c58a2c37c9558320 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Tue, 14 Jun 2011 13:39:50 -0400
Subject: [PATCH] Updates to several things that are loosely linked together.

- Changed enum values to determine hosts and directions.
- Fixed a bug in detecting mail clients.
- Fixed a couple of problems with vulnerable software detection.
- New variable "Software::asset_tracking" for
  determining which software to track.
---
 policy/frameworks/software/base.bro       |  4 +--
 policy/frameworks/software/vulnerable.bro | 10 +++---
 policy/protocols/conn/known-hosts.bro     | 43 +++++++++++++----------
 policy/protocols/conn/known-services.bro  |  2 +-
 policy/protocols/smtp/base.bro            |  4 +--
 policy/protocols/smtp/software.bro        |  7 ++--
 6 files changed, 37 insertions(+), 33 deletions(-)

diff --git a/policy/frameworks/software/base.bro b/policy/frameworks/software/base.bro
index 964651837c..5e0d7c705c 100644
--- a/policy/frameworks/software/base.bro
+++ b/policy/frameworks/software/base.bro
@@ -65,7 +65,7 @@ export {
 	
 	## The hosts whose software should be detected and tracked.
 	## Choices are: LocalHosts, RemoteHosts, Enabled, Disabled
-	const logging = Enabled &redef;
+	const asset_tracking=AllHosts &redef;
 	
 	## Some software is more interesting when the version changes and this
 	## a set of all software that should raise a notice when a different 
@@ -408,7 +408,7 @@ event software_register(id: conn_id, info: Info)
 
 function found(id: conn_id, info: Info): bool
 	{
-	if ( info$force_log || addr_matches_hosts(info$host, logging) )
+	if ( info$force_log || addr_matches_hosts(info$host, asset_tracking) )
 		{
 		event software_register(id, info);
 		return T;
diff --git a/policy/frameworks/software/vulnerable.bro b/policy/frameworks/software/vulnerable.bro
index e683620a06..4b86ae8d29 100644
--- a/policy/frameworks/software/vulnerable.bro
+++ b/policy/frameworks/software/vulnerable.bro
@@ -3,11 +3,11 @@
 
 module Software;
 
-redef enum Notice::Type += {
-	Vulnerable_Version,
-};
-
 export {
+	redef enum Notice::Type += {
+		Vulnerable_Version,
+	};
+
 	## This is a table of software versions indexed by the name of the 
 	## software and yielding the latest version that is vulnerable.
 	const vulnerable_versions: table[string] of Version &redef;
@@ -23,6 +23,6 @@ event log_software(rec: Info)
 	if ( rec$name in vulnerable_versions &&
 	     cmp_versions(rec$version, vulnerable_versions[rec$name]) <= 0 )
 		{
-		NOTICE([$note=Vulnerable_Version, $relevant_host=rec$host, $msg=software_fmt(rec)]);
+		NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]);
 		}
 	}
\ No newline at end of file
diff --git a/policy/protocols/conn/known-hosts.bro b/policy/protocols/conn/known-hosts.bro
index a02a058f2b..7e20293e93 100644
--- a/policy/protocols/conn/known-hosts.bro
+++ b/policy/protocols/conn/known-hosts.bro
@@ -1,3 +1,8 @@
+##! This script logs hosts that Bro determines have performed complete TCP 
+##! handshakes and logs the address once per day (by default).  The log that 
+##! output provides an easy way to determine a count of the IP addresses in
+##! use on a network per day.
+
 @load utils/directions-and-hosts
 
 module KnownHosts;
@@ -6,21 +11,23 @@ redef enum Log::ID += { KNOWN_HOSTS };
 
 export {
 	type Log: record {
+		## The timestamp at which the host was detected.
 		ts:      time &log;
-		address: addr &log;
+		## The address that was detected originating or responding to a TCP 
+		## connection.
+		host:    addr &log;
 	};
 
-	# The hosts whose existence should be logged.
-	# Choices are: LocalHosts, RemoteHosts, Enabled, Disabled
-	const logging = Enabled &redef;
+	## The hosts whose existence should be logged.
+	## Choices are: LocalHosts, RemoteHosts, Enabled, Disabled
+	const logging = LocalHosts &redef;
 	
-	# In case you are interested in more than logging just local assets
-	# you can split the log file.
-	#const split_log_file = F &redef;
-	
-	# Maintain the list of known hosts for 24 hours so that the existence
-	# of each individual address is logged each day.
-	global known_hosts: set[addr] &create_expire=1day &synchronized;
+	## The set of all known addresses to store for preventing duplicate 
+	## logging of addresses.  It can also be used from other scripts to 
+	## inspect if an address has been seen in use.
+	## Maintain the list of known hosts for 24 hours so that the existence
+	## of each individual address is logged each day.
+	global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
 	
 	global log_known_hosts: event(rec: Log);
 }
@@ -34,14 +41,12 @@ event connection_established(c: connection) &priority=5
 	{
 	local id = c$id;
 	
-	if ( id$orig_h !in known_hosts && addr_matches_hosts(id$orig_h, logging) )
+	for ( host in set(id$orig_h, id$resp_h) )
 		{
-		add known_hosts[id$orig_h];
-		Log::write(KNOWN_HOSTS, [$ts=network_time(), $address=id$orig_h]);
-		}
-	if ( id$resp_h !in known_hosts && addr_matches_hosts(id$resp_h, logging) )
-		{
-		add known_hosts[id$resp_h];
-		Log::write(KNOWN_HOSTS, [$ts=network_time(), $address=id$resp_h]);
+		if ( host !in known_hosts && addr_matches_hosts(host, logging) )
+			{
+			add known_hosts[host];
+			Log::write(KNOWN_HOSTS, [$ts=network_time(), $address=host]);
+			}
 		}
 	}
diff --git a/policy/protocols/conn/known-services.bro b/policy/protocols/conn/known-services.bro
index daec166f8b..51382b4a84 100644
--- a/policy/protocols/conn/known-services.bro
+++ b/policy/protocols/conn/known-services.bro
@@ -24,7 +24,7 @@ export {
 	};
 	
 	# The hosts whose services should be logged.
-	const logged_hosts = Enabled &redef;
+	const logged_hosts = AllHosts &redef;
 	
 	global known_services: set[addr, port] &create_expire=1day &synchronized;
 	
diff --git a/policy/protocols/smtp/base.bro b/policy/protocols/smtp/base.bro
index 7a6129934e..70f059f7f0 100644
--- a/policy/protocols/smtp/base.bro
+++ b/policy/protocols/smtp/base.bro
@@ -66,9 +66,9 @@ export {
 	## Direction to capture the full "Received from" path.
 	##    RemoteHosts - only capture the path until an internal host is found.
 	##    LocalHosts - only capture the path until the external host is discovered.
-	##    Enabled - always capture the entire path.
+	##    AllHosts - always capture the entire path.
 	##    Disabled - never capture the path.
-	const mail_path_capture = Enabled &redef;
+	const mail_path_capture = AllHosts &redef;
 	
 	global log_smtp: event(rec: Info);
 }
diff --git a/policy/protocols/smtp/software.bro b/policy/protocols/smtp/software.bro
index 4ffef92a67..53080b657d 100644
--- a/policy/protocols/smtp/software.bro
+++ b/policy/protocols/smtp/software.bro
@@ -43,7 +43,6 @@ export {
 	                   | /^SquirrelMail/
 	                   | /^NeoMail/ 
 	                   | /ZimbraWebClient/ &redef;
-	
 }
 
 event smtp_data(c: connection, is_orig: bool, data: string) &priority=4
@@ -66,8 +65,8 @@ event log_smtp(rec: Info)
 			{
 			s_type = WEBMAIL;
 			# If the earliest received header indicates that the connection
-			# was via HTTP, then that means the actual mail software is installed
-			# on the second value in the path.
+			# was via HTTP, then that likely means the actual mail software 
+			# is installed on the second address in the path.
 			if ( rec?$first_received && /via HTTP/ in rec$first_received )
 				client_ip = rec$path[|rec$path|-2];
 			}
@@ -75,7 +74,7 @@ event log_smtp(rec: Info)
 		if ( addr_matches_hosts(rec$id$orig_h,
 		                        detect_clients_in_messages_from) )
 			{
-			local s = Software::parse(rec$user_agent, rec$path[|rec$path|-1], s_type);
+			local s = Software::parse(rec$user_agent, client_ip, s_type);
 			Software::found(rec$id, s);
 			}
 		}