Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 17:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

More script updates.

Browse source
This commit is contained in:
Seth Hall 2011-04-26 11:08:04 -04:00
parent adec99751d
commit f6e67a6a87
4 changed files with 14 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

14
policy/software/base.bro
View file

@ -122,9 +122,9 @@ function parse_mozilla(unparsed_version: string,
software_name = "MSIE"; software_name = "MSIE";
v = [$major=8,$minor=0]; v = [$major=8,$minor=0];
} }
else if ( /[cC]ompatible; MSIE [0-9\.]*/ in unparsed_version ) else if ( / MSIE [0-9\.]*b?[0-9]*;/ in unparsed_version )
{ {
parts = split_all(unparsed_version, /MSIE [0-9\.]*/); parts = split_all(unparsed_version, /MSIE [0-9\.]*b?[0-9]*/);
if ( 2 in parts ) if ( 2 in parts )
return parse(parts[2], host, software_type); return parse(parts[2], host, software_type);
} }
@ -139,9 +139,9 @@ function parse_mozilla(unparsed_version: string,
v$addl = "Mobile"; v$addl = "Mobile";
} }
} }
else if ( /Firefox\/[0-9\.]*/ in unparsed_version ) else if ( /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/ in unparsed_version )
{ {
parts = split_all(unparsed_version, /Firefox\/[0-9\.]*/); parts = split_all(unparsed_version, /(Firefox|Netscape|Thunderbird)\/[0-9\.]*/);
if ( 2 in parts ) if ( 2 in parts )
return parse(parts[2], host, software_type); return parse(parts[2], host, software_type);
} }
@ -175,12 +175,6 @@ function parse_mozilla(unparsed_version: string,
v = parse(parts[2], host, software_type)$version; v = parse(parts[2], host, software_type)$version;
} }
} }
else if ( /Thunderbird\/[0-9\.]*/ in unparsed_version )
{
parts = split_all(unparsed_version, /Thunderbird\/[0-9\.]*/);
if ( 2 in parts )
return parse(parts[2], host, software_type);
}
return [$ts=network_time(), $host=host, $name=software_name, $version=v, return [$ts=network_time(), $host=host, $name=software_name, $version=v,
$software_type=software_type, $unparsed_version=unparsed_version]; $software_type=software_type, $unparsed_version=unparsed_version];

6
policy/software/vulnerable.bro
View file

@ -4,7 +4,7 @@
module Software; module Software;
redef enum Notice::Type += { redef enum Notice::Type += {
VULNERABLE, Vulnerable_Version,
}; };
export { export {
@ -23,7 +23,7 @@ event log_software(rec: Info)
if ( rec$name in vulnerable_versions && if ( rec$name in vulnerable_versions &&
cmp_versions(rec$version, vulnerable_versions[rec$name]) < 1 ) cmp_versions(rec$version, vulnerable_versions[rec$name]) < 1 )
{ {
print fmt("VULNERABLE %s", software_fmt(rec)); print fmt("Vulnerable version of ", software_fmt(rec));
NOTICE([$note=VULNERABLE, $src=rec$host, $msg=software_fmt(rec)]); NOTICE([$note=Vulnerable_Version, $src=rec$host, $msg=software_fmt(rec)]);
} }
} }

7
policy/ssl.bro
View file

@ -159,10 +159,8 @@ global ssl_ports = {
443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp, 443/tcp, 563/tcp, 585/tcp, 614/tcp, 636/tcp,
989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp, 989/tcp, 990/tcp, 992/tcp, 993/tcp, 995/tcp,
}; };
redef dpd_config += { [ANALYZER_SSL] = [$ports = ssl_ports] };
redef dpd_config += { redef dpd_config += { [ANALYZER_SSL_BINPAC] = [$ports = ssl_ports] };
[[ANALYZER_SSL, ANALYZER_SSL_BINPAC]] = [$ports = ssl_ports]
};
event bro_init() event bro_init()
{ {
@ -221,7 +219,6 @@ function get_session_info(s: SSL_sessionID): SessionInfo
event ssl_certificate(c: connection, cert: X509, is_server: bool) event ssl_certificate(c: connection, cert: X509, is_server: bool)
{ {
print "hello?";
set_session(c); set_session(c);
if ( [c$id$resp_h, c$id$resp_p, cert$subject] !in certs ) if ( [c$id$resp_h, c$id$resp_p, cert$subject] !in certs )

7
testing/btest/policy/software-known-version-parsing.bro
View file

@ -73,10 +73,13 @@ global matched_software: table[string] of Software::Info = {
["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] = ["Opera/9.80 (Windows NT 5.1; Opera Mobi/49; U; en) Presto/2.4.18 Version/10.00"] =
[$name="Opera Mobi", $version=[$major=10,$minor=0], $host=0.0.0.0, $ts=ts], [$name="Opera Mobi", $version=[$major=10,$minor=0], $host=0.0.0.0, $ts=ts],
["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] = ["Mozilla/4.0 (compatible; MSIE 8.0; Android 2.2.2; Linux; Opera Mobi/ADR-1103311355; en) Opera 11.00"] =
[$name="Opera", $version=[$major=11,$minor=0], $host=0.0.0.0, $ts=ts], [$name="Opera Mobi", $version=[$major=11,$minor=0], $host=0.0.0.0, $ts=ts],
["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] = ["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"] =
[$name="MSIE", $version=[$major=7,$minor=0], $host=0.0.0.0, $ts=ts], [$name="MSIE", $version=[$major=7,$minor=0], $host=0.0.0.0, $ts=ts],
["Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; Media Center PC 3.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)"] =
[$name="MSIE", $version=[$major=7,$minor=0,$addl="b"], $host=0.0.0.0, $ts=ts],
["Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)"] =
[$name="Netscape", $version=[$major=7,$minor=2], $host=0.0.0.0, $ts=ts],
# This is an FTP client (found with CLNT command) # This is an FTP client (found with CLNT command)
["Total Commander"] = ["Total Commander"] =