Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Move spicy-ldap into Zeek protocol analyzer tree

Browse source
This commit is contained in:
Benjamin Bannier 2023-09-18 10:44:14 +02:00
parent e544540986
commit f172febbcb
16 changed files with 22 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/init-default.zeek
View file

@ -59,6 +59,7 @@
@load base/protocols/imap @load base/protocols/imap
@load base/protocols/irc @load base/protocols/irc
@load base/protocols/krb @load base/protocols/krb
@load base/protocols/ldap
@load base/protocols/modbus @load base/protocols/modbus
@load base/protocols/mqtt @load base/protocols/mqtt
@load base/protocols/mysql @load base/protocols/mysql

0
src/spicy/spicy-ldap/analyzer/__load__.zeek → scripts/base/protocols/ldap/__load__.zeek
View file

4
src/spicy/spicy-ldap/analyzer/dpd.sig → scripts/base/protocols/ldap/dpd.sig
View file

@ -7,7 +7,7 @@ signature dpd_ldap_server_udp {
ip-proto == udp ip-proto == udp
payload /^\x30/ payload /^\x30/
requires-reverse-signature dpd_ldap_client_udp requires-reverse-signature dpd_ldap_client_udp
enable "spicy_LDAP_UDP" enable "LDAP_UDP"
} }
signature dpd_ldap_client_tcp { signature dpd_ldap_client_tcp {
@ -19,5 +19,5 @@ signature dpd_ldap_server_tcp {
ip-proto == tcp ip-proto == tcp
payload /^\x30/ payload /^\x30/
requires-reverse-signature dpd_ldap_client_tcp requires-reverse-signature dpd_ldap_client_tcp
enable "spicy_LDAP_TCP" enable "LDAP_TCP"
} }

4
src/spicy/spicy-ldap/analyzer/main.zeek → scripts/base/protocols/ldap/main.zeek
View file

@ -292,7 +292,7 @@ function set_session(c: connection, message_id: int, opcode: LDAP::ProtocolOpcod
############################################################################# #############################################################################
@if (Version::at_least("5.2.0")) @if (Version::at_least("5.2.0"))
event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) { event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) {
if ( atype == Analyzer::ANALYZER_SPICY_LDAP_TCP ) { if ( atype == Analyzer::ANALYZER_LDAP_TCP ) {
info$c$ldap_proto = "tcp"; info$c$ldap_proto = "tcp";
} }
} }
@ -302,7 +302,7 @@ event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) {
@endif @endif
if ( atype == Analyzer::ANALYZER_SPICY_LDAP_TCP ) { if ( atype == Analyzer::ANALYZER_LDAP_TCP ) {
c$ldap_proto = "tcp"; c$ldap_proto = "tcp";
} }

1
src/analyzer/protocol/CMakeLists.txt
View file

@ -16,6 +16,7 @@ add_subdirectory(ident)
add_subdirectory(imap) add_subdirectory(imap)
add_subdirectory(irc) add_subdirectory(irc)
add_subdirectory(krb) add_subdirectory(krb)
add_subdirectory(ldap)
add_subdirectory(login) add_subdirectory(login)
add_subdirectory(mime) add_subdirectory(mime)
add_subdirectory(modbus) add_subdirectory(modbus)

0
src/spicy/spicy-ldap/analyzer/CMakeLists.txt → src/analyzer/protocol/ldap/CMakeLists.txt
View file

0
src/spicy/spicy-ldap/analyzer/asn1.spicy → src/analyzer/protocol/ldap/asn1.spicy
View file

4
src/spicy/spicy-ldap/analyzer/ldap.evt → src/analyzer/protocol/ldap/ldap.evt
View file

@ -1,10 +1,10 @@
# Copyright (c) 2021 by the Zeek Project. See LICENSE for details. # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
protocol analyzer spicy::LDAP_TCP over TCP: protocol analyzer LDAP_TCP over TCP:
parse with LDAP::Messages, parse with LDAP::Messages,
ports { 389/tcp, 3268/tcp}; ports { 389/tcp, 3268/tcp};
protocol analyzer spicy::LDAP_UDP over UDP: protocol analyzer LDAP_UDP over UDP:
parse with LDAP::Messages, parse with LDAP::Messages,
ports { 389/udp }; ports { 389/udp };

0
src/spicy/spicy-ldap/analyzer/ldap.spicy → src/analyzer/protocol/ldap/ldap.spicy
View file

2
src/spicy/CMakeLists.txt
View file

@ -28,5 +28,3 @@ install(DIRECTORY "${PROJECT_SOURCE_DIR}/scripts/spicy/" DESTINATION "${ZEEK_SPI
set(ZEEK_SPICY_DATA_PATH "${CMAKE_INSTALL_FULL_DATADIR}/zeek" CACHE PATH "") set(ZEEK_SPICY_DATA_PATH "${CMAKE_INSTALL_FULL_DATADIR}/zeek" CACHE PATH "")
add_subdirectory(spicyz) add_subdirectory(spicyz)
add_subdirectory(spicy-ldap)

1
src/spicy/spicy-ldap/CMakeLists.txt
View file

@ -1 +0,0 @@
add_subdirectory(analyzer)

2
src/spicy/spicy-ldap/tests/analyzer/availability.zeek
View file

@ -1,5 +1,5 @@
# Copyright (c) 2021 by the Zeek Project. See LICENSE for details. # Copyright (c) 2021 by the Zeek Project. See LICENSE for details.
# @TEST-EXEC: zeek -NN | grep -q ANALYZER_SPICY_LDAP_TCP # @TEST-EXEC: zeek -NN | grep -q ANALYZER_LDAP_TCP
# #
# @TEST-DOC: Check that LDAP (TCP) is analyzer is available. # @TEST-DOC: Check that LDAP (TCP) is analyzer is available.

2
testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
View file

@ -406,6 +406,8 @@ scripts/base/init-default.zeek
scripts/base/protocols/krb/main.zeek scripts/base/protocols/krb/main.zeek
scripts/base/protocols/krb/consts.zeek scripts/base/protocols/krb/consts.zeek
scripts/base/protocols/krb/files.zeek scripts/base/protocols/krb/files.zeek
scripts/base/protocols/ldap/__load__.zeek
scripts/base/protocols/ldap/main.zeek
scripts/base/protocols/modbus/__load__.zeek scripts/base/protocols/modbus/__load__.zeek
scripts/base/protocols/modbus/consts.zeek scripts/base/protocols/modbus/consts.zeek
scripts/base/protocols/modbus/main.zeek scripts/base/protocols/modbus/main.zeek

2
testing/btest/Baseline/coverage.find-bro-logs/out
View file

@ -20,6 +20,8 @@ known_certs
known_hosts known_hosts
known_modbus known_modbus
known_services known_services
ldap
ldap_search
loaded_scripts loaded_scripts
modbus modbus
modbus_register_change modbus_register_change

12
testing/btest/Baseline/scripts.base.files.x509.files/files.log
View file

@ -7,10 +7,10 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 #fields ts fuid uid id.orig_h id.orig_p id.resp_h id.resp_p source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256
#types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string #types time string string addr port addr port string count set[string] string string interval bool bool count count count count bool string string string string
XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 XXXXXXXXXX.XXXXXX FgN3AE3of2TRIqaeQe CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d XXXXXXXXXX.XXXXXX Fv2Agc4z5boBOacQi6 CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 XXXXXXXXXX.XXXXXX Ftmyeg2qgI2V38Dt3g CHhAvVGS1DHFjwGM9 192.168.4.149 60623 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43 XXXXXXXXXX.XXXXXX FUFNf84cduA0IJCp07 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-user-cert - 0.000000 F F 1859 - 0 0 F - 7af07aca6d5c6e8e87fe4bb34786edc0 548b9e03bc183d1cd39f93a37985cb3950f8f06f 6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d XXXXXXXXXX.XXXXXX F1H4bd2OKGbLPEdHm4 ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 1032 - 0 0 F - 9e4ac96474245129d9766700412a1f89 d83c1a7f4d0446bb2081b81a1670f8183451ca24 a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 SHA256,X509,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0 XXXXXXXXXX.XXXXXX Fgsbci2jxFXYMOHOhi ClEkJM2Vm5giqnMf4h 192.168.4.149 60624 74.125.239.129 443 SSL 0 X509,SHA256,SHA1,MD5 application/x-x509-ca-cert - 0.000000 F F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

3
testing/btest/Baseline/spicy.port-range-one-port/out.filtered
View file

@ -1,2 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
[zeek] Scheduling analyzer for port 389/tcp
[zeek] Scheduling analyzer for port 3268/tcp
[zeek] Scheduling analyzer for port 389/udp
[zeek] Scheduling analyzer for port 31336/udp [zeek] Scheduling analyzer for port 31336/udp