Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-08 01:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'origin/master' into topic/bernhard/file-analysis-x509

Browse source 
Conflicts:
	src/analyzer/protocol/ssl/events.bif

Still broken.
This commit is contained in:
Bernhard Amann 2014-01-28 06:43:08 -08:00
commit f821a13cce
736 changed files with 16014 additions and 17843 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/protocols/conn/README Normal file
View file

@ -0,0 +1 @@
Support for connection (TCP, UDP, or ICMP) analysis.

8
scripts/base/protocols/conn/contents.bro
View file

@ -16,12 +16,12 @@
module Conn;
export {
## The prefix given to files containing extracted connections as they are
## opened on disk.
## The prefix given to files containing extracted connections as they
## are opened on disk.
const extraction_prefix = "contents" &redef;
## If this variable is set to ``T``, then all contents of all connections
## will be extracted.
## If this variable is set to ``T``, then all contents of all
## connections will be extracted.
const default_extract = F &redef;
}

54
scripts/base/protocols/conn/main.bro
View file

@ -1,7 +1,7 @@
##! This script manages the tracking/logging of general information regarding
##! TCP, UDP, and ICMP traffic. For UDP and ICMP, "connections" are to
##! be interpreted using flow semantics (sequence of packets from a source
##! host/post to a destination host/port). Further, ICMP "ports" are to
##! host/port to a destination host/port). Further, ICMP "ports" are to
##! be interpreted as the source port meaning the ICMP message type and
##! the destination port being the ICMP message code.
@ -23,7 +23,7 @@ export {
id: conn_id &log;
## The transport layer protocol of the connection.
proto: transport_proto &log;
## An identification of an application protocol being sent over the
## An identification of an application protocol being sent over
## the connection.
service: string &log &optional;
## How long the connection lasted. For 3-way or 4-way connection
@ -31,9 +31,10 @@ export {
duration: interval &log &optional;
## The number of payload bytes the originator sent. For TCP
## this is taken from sequence numbers and might be inaccurate
## (e.g., due to large connections)
## (e.g., due to large connections).
orig_bytes: count &log &optional;
## The number of payload bytes the responder sent. See ``orig_bytes``.
## The number of payload bytes the responder sent. See
## *orig_bytes*.
resp_bytes: count &log &optional;
## ========== ===============================================
@ -55,20 +56,20 @@ export {
## ========== ===============================================
conn_state: string &log &optional;
## If the connection is originated locally, this value will be T. If
## it was originated remotely it will be F. In the case that the
## :bro:id:`Site::local_nets` variable is undefined, this field will
## be left empty at all times.
## If the connection is originated locally, this value will be T.
## If it was originated remotely it will be F. In the case that
## the :bro:id:`Site::local_nets` variable is undefined, this
## field will be left empty at all times.
local_orig: bool &log &optional;
## Indicates the number of bytes missed in content gaps, which is
## representative of packet loss. A value other than zero will
## normally cause protocol analysis to fail but some analysis may
## have been completed prior to the packet loss.
## Indicates the number of bytes missed in content gaps, which
## is representative of packet loss. A value other than zero
## will normally cause protocol analysis to fail but some
## analysis may have been completed prior to the packet loss.
missed_bytes: count &log &default=0;
## Records the state history of connections as a string of letters.
## The meaning of those letters is:
## Records the state history of connections as a string of
## letters. The meaning of those letters is:
##
## ====== ====================================================
## Letter Meaning
@ -83,24 +84,25 @@ export {
## i inconsistent packet (e.g. SYN+RST bits both set)
## ====== ====================================================
##
## If the event comes from the originator, the letter is in upper-case; if it comes
## from the responder, it's in lower-case. Multiple packets of the same type will
## only be noted once (e.g. we only record one "d" in each direction, regardless of
## how many data packets were seen.)
## If the event comes from the originator, the letter is in
## upper-case; if it comes from the responder, it's in
## lower-case. Multiple packets of the same type will only be
## noted once (e.g. we only record one "d" in each direction,
## regardless of how many data packets were seen.)
history: string &log &optional;
## Number of packets that the originator sent.
## Only set if :bro:id:`use_conn_size_analyzer` = T
## Only set if :bro:id:`use_conn_size_analyzer` = T.
orig_pkts: count &log &optional;
## Number of IP level bytes that the originator sent (as seen on the wire,
## taken from IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T
## Number of IP level bytes that the originator sent (as seen on
## the wire, taken from the IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T.
orig_ip_bytes: count &log &optional;
## Number of packets that the responder sent.
## Only set if :bro:id:`use_conn_size_analyzer` = T
## Only set if :bro:id:`use_conn_size_analyzer` = T.
resp_pkts: count &log &optional;
## Number og IP level bytes that the responder sent (as seen on the wire,
## taken from IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T
## Number of IP level bytes that the responder sent (as seen on
## the wire, taken from the IP total_length header field).
## Only set if :bro:id:`use_conn_size_analyzer` = T.
resp_ip_bytes: count &log &optional;
## If this connection was over a tunnel, indicate the
## *uid* values for any encapsulating parent connections

9
scripts/base/protocols/conn/polling.bro
View file

@ -11,10 +11,11 @@ export {
## c: The connection to watch.
##
## callback: A callback function that takes as arguments the monitored
## *connection*, and counter *cnt* that increments each time the
## callback is called. It returns an interval indicating how long
## in the future to schedule an event which will call the
## callback. A negative return interval causes polling to stop.
## *connection*, and counter *cnt* that increments each time
## the callback is called. It returns an interval indicating
## how long in the future to schedule an event which will call
## the callback. A negative return interval causes polling
## to stop.
##
## cnt: The initial value of a counter which gets passed to *callback*.
##

1
scripts/base/protocols/dhcp/README Normal file
View file

@ -0,0 +1 @@
Support for Dynamic Host Configuration Protocol (DHCP) analysis.

2
scripts/base/protocols/dhcp/consts.bro
View file

@ -5,7 +5,7 @@ module DHCP;
export {
## Types of DHCP messages. See RFC 1533.
## Types of DHCP messages. See :rfc:`1533`.
const message_types = {
[1] = "DHCP_DISCOVER",
[2] = "DHCP_OFFER",

9
scripts/base/protocols/dhcp/main.bro
View file

@ -3,7 +3,8 @@
##! noisy on most networks, and focuses on the end-result: assigned leases.
##!
##! If you'd like to track known DHCP devices and to log the hostname
##! supplied by the client, see policy/protocols/dhcp/known-devices.bro
##! supplied by the client, see
##! :doc:`/scripts/policy/protocols/dhcp/known-devices-and-hostnames.bro`.
@load ./utils.bro
@ -18,7 +19,7 @@ export {
## associated connection is observed.
ts: time &log;
## A unique identifier of the connection over which DHCP is
## occuring.
## occurring.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
@ -28,7 +29,7 @@ export {
assigned_ip: addr &log &optional;
## IP address lease interval.
lease_time: interval &log &optional;
## A random number choosen by the client for this transaction.
## A random number chosen by the client for this transaction.
trans_id: count &log;
};
@ -37,7 +38,7 @@ export {
global log_dhcp: event(rec: Info);
}
# Add the dhcp info to the connection record
# Add the dhcp info to the connection record.
redef record connection += {
dhcp: Info &optional;
};

6
scripts/base/protocols/dhcp/utils.bro
View file

@ -3,11 +3,11 @@
module DHCP;
export {
## Reverse the octets of an IPv4 IP.
## Reverse the octets of an IPv4 address.
##
## ip: An :bro:type:`addr` IPv4 address.
## ip: An IPv4 address.
##
## Returns: A reversed addr.
## Returns: A reversed IPv4 address.
global reverse_ip: function(ip: addr): addr;
}

1
scripts/base/protocols/dnp3/README Normal file
View file

@ -0,0 +1 @@
Support for Distributed Network Protocol (DNP3) analysis.

2
scripts/base/protocols/dnp3/main.bro
View file

@ -10,7 +10,7 @@ export {
type Info: record {
## Time of the request.
ts: time &log;
## Unique identifier for the connnection.
## Unique identifier for the connection.
uid: string &log;
## Identifier for the connection.
id: conn_id &log;

1
scripts/base/protocols/dns/README Normal file
View file

@ -0,0 +1 @@
Support for Domain Name System (DNS) protocol analysis.

7
scripts/base/protocols/dns/consts.bro
View file

@ -8,7 +8,8 @@ export {
const EDNS = 41; ##< An OPT RR TYPE value described by EDNS.
const ANY = 255; ##< A QTYPE value describing a request for all records.
## Mapping of DNS query type codes to human readable string representation.
## Mapping of DNS query type codes to human readable string
## representation.
const query_types = {
[1] = "A", [2] = "NS", [3] = "MD", [4] = "MF",
[5] = "CNAME", [6] = "SOA", [7] = "MB", [8] = "MG",
@ -64,8 +65,8 @@ export {
[32768] = "DNS_SEC_OK", # accepts DNS Sec RRs
} &default="?";
## Possible values of the CLASS field in resource records or QCLASS field
## in query messages.
## Possible values of the CLASS field in resource records or QCLASS
## field in query messages.
const classes = {
[1] = "C_INTERNET",
[2] = "C_CSNET",

43
scripts/base/protocols/dns/main.bro
View file

@ -22,8 +22,8 @@ export {
id: conn_id &log;
## The transport layer protocol of the connection.
proto: transport_proto &log;
## A 16 bit identifier assigned by the program that generated the
## DNS query. Also used in responses to match up replies to
## A 16-bit identifier assigned by the program that generated
## the DNS query. Also used in responses to match up replies to
## outstanding queries.
trans_id: count &log &optional;
## The domain name that is the subject of the DNS query.
@ -40,17 +40,17 @@ export {
rcode: count &log &optional;
## A descriptive name for the response code value.
rcode_name: string &log &optional;
## The Authoritative Answer bit for response messages specifies that
## the responding name server is an authority for the domain name
## in the question section.
## The Authoritative Answer bit for response messages specifies
## that the responding name server is an authority for the
## domain name in the question section.
AA: bool &log &default=F;
## The Truncation bit specifies that the message was truncated.
TC: bool &log &default=F;
## The Recursion Desired bit in a request message indicates that
## the client wants recursive service for this query.
RD: bool &log &default=F;
## The Recursion Available bit in a response message indicates that
## the name server supports recursive queries.
## The Recursion Available bit in a response message indicates
## that the name server supports recursive queries.
RA: bool &log &default=F;
## A reserved field that is currently supposed to be zero in all
## queries and responses.
@ -58,19 +58,19 @@ export {
## The set of resource descriptions in the query answer.
answers: vector of string &log &optional;
## The caching intervals of the associated RRs described by the
## ``answers`` field.
## *answers* field.
TTLs: vector of interval &log &optional;
## The DNS query was rejected by the server.
rejected: bool &log &default=F;
## This value indicates if this request/response pair is ready to be
## logged.
## This value indicates if this request/response pair is ready
## to be logged.
ready: bool &default=F;
## The total number of resource records in a reply message's answer
## section.
## The total number of resource records in a reply message's
## answer section.
total_answers: count &optional;
## The total number of resource records in a reply message's answer,
## authority, and additional sections.
## The total number of resource records in a reply message's
## answer, authority, and additional sections.
total_replies: count &optional;
};
@ -78,9 +78,10 @@ export {
## record as it is sent to the logging framework.
global log_dns: event(rec: Info);
## This is called by the specific dns_*_reply events with a "reply" which
## may not represent the full data available from the resource record, but
## it's generally considered a summarization of the response(s).
## This is called by the specific dns_*_reply events with a "reply"
## which may not represent the full data available from the resource
## record, but it's generally considered a summarization of the
## responses.
##
## c: The connection record for which to fill in DNS reply data.
##
@ -95,7 +96,7 @@ export {
## This can be used if additional initialization logic needs to happen
## when creating a new session value.
##
## c: The connection involved in the new session
## c: The connection involved in the new session.
##
## msg: The DNS message header information.
##
@ -109,9 +110,9 @@ export {
## query/response which haven't completed yet.
pending: table[count] of Queue::Queue;
## This is the list of DNS responses that have completed based on the
## number of responses declared and the number received. The contents
## of the set are transaction IDs.
## This is the list of DNS responses that have completed based
## on the number of responses declared and the number received.
## The contents of the set are transaction IDs.
finished_answers: set[count];
};
}

1
scripts/base/protocols/ftp/README Normal file
View file

@ -0,0 +1 @@
Support for File Transfer Protocol (FTP) analysis.

12
scripts/base/protocols/ftp/gridftp.bro
View file

@ -4,20 +4,20 @@
##! that successfully negotiate the GSSAPI method of an AUTH request
##! and for which the exchange involved an encoded TLS/SSL handshake,
##! indicating the GSI mechanism for GSSAPI was used. This analysis
##! is all supported internally, this script simple adds the "gridftp"
##! is all supported internally, this script simply adds the "gridftp"
##! label to the *service* field of the control channel's
##! :bro:type:`connection` record.
##!
##! GridFTP data channels are identified by a heuristic that relies on
##! the fact that default settings for GridFTP clients typically
##! mutally authenticate the data channel with TLS/SSL and negotiate a
##! mutually authenticate the data channel with TLS/SSL and negotiate a
##! NULL bulk cipher (no encryption). Connections with those
##! attributes are then polled for two minutes with decreasing frequency
##! to check if the transfer sizes are large enough to indicate a
##! GridFTP data channel that would be undesireable to analyze further
##! GridFTP data channel that would be undesirable to analyze further
##! (e.g. stop TCP reassembly). A side effect is that true connection
##! sizes are not logged, but at the benefit of saving CPU cycles that
##! otherwise go to analyzing the large (and likely benign) connections.
##! would otherwise go to analyzing the large (and likely benign) connections.
@load ./info
@load ./main
@ -59,8 +59,8 @@ export {
## been exceeded. This is called in a :bro:see:`ssl_established` event
## handler and by default looks for both a client and server certificate
## and for a NULL bulk cipher. One way in which this function could be
## redefined is to make it also consider client/server certificate issuer
## subjects.
## redefined is to make it also consider client/server certificate
## issuer subjects.
##
## c: The connection which may possibly be a GridFTP data channel.
##

10
scripts/base/protocols/ftp/info.bro
View file

@ -18,7 +18,8 @@ export {
orig_h: addr &log;
## The host that will be accepting the data connection.
resp_h: addr &log;
## The port at which the acceptor is listening for the data connection.
## The port at which the acceptor is listening for the data
## connection.
resp_p: port &log;
};
@ -38,7 +39,8 @@ export {
## Argument for the command if one is given.
arg: string &log &optional;
## Libmagic "sniffed" file type if the command indicates a file transfer.
## Libmagic "sniffed" file type if the command indicates a file
## transfer.
mime_type: string &log &optional;
## Size of the file if the command indicates a file transfer.
file_size: count &log &optional;
@ -59,8 +61,8 @@ export {
## Command that is currently waiting for a response.
cmdarg: CmdArg &optional;
## Queue for commands that have been sent but not yet responded to
## are tracked here.
## Queue for commands that have been sent but not yet responded
## to are tracked here.
pending_commands: PendingCmds;
## Indicates if the session is in active or passive mode.

2
scripts/base/protocols/ftp/main.bro
View file

@ -26,7 +26,7 @@ export {
const guest_ids = { "anonymous", "ftp", "ftpuser", "guest" } &redef;
## This record is to hold a parsed FTP reply code. For example, for the
## 201 status code, the digits would be parsed as: x->2, y->0, z=>1.
## 201 status code, the digits would be parsed as: x->2, y->0, z->1.
type ReplyCode: record {
x: count;
y: count;

4
scripts/base/protocols/ftp/utils.bro
View file

@ -11,14 +11,14 @@ export {
##
## rec: An :bro:type:`FTP::Info` record.
##
## Returns: A URL, not prefixed by "ftp://".
## Returns: A URL, not prefixed by ``"ftp://"``.
global build_url: function(rec: Info): string;
## Creates a URL from an :bro:type:`FTP::Info` record.
##
## rec: An :bro:type:`FTP::Info` record.
##
## Returns: A URL prefixed with "ftp://".
## Returns: A URL prefixed with ``"ftp://"``.
global build_url_ftp: function(rec: Info): string;
## Create an extremely shortened representation of a log line.

1
scripts/base/protocols/http/README Normal file
View file

@ -0,0 +1 @@
Support for Hypertext Transfer Protocol (HTTP) analysis.

2
scripts/base/protocols/http/__load__.bro
View file

@ -3,4 +3,4 @@
@load ./utils
@load ./files
@load-sigs ./dpd.sig
@load-sigs ./dpd.sig

6
scripts/base/protocols/http/entities.bro
View file

@ -28,9 +28,11 @@ export {
## The current entity.
current_entity: Entity &optional;
## Current number of MIME entities in the HTTP request message body.
## Current number of MIME entities in the HTTP request message
## body.
orig_mime_depth: count &default=0;
## Current number of MIME entities in the HTTP response message body.
## Current number of MIME entities in the HTTP response message
## body.
resp_mime_depth: count &default=0;
};
}

10
scripts/base/protocols/http/main.bro
View file

@ -16,7 +16,8 @@ export {
EMPTY
};
## This setting changes if passwords used in Basic-Auth are captured or not.
## This setting changes if passwords used in Basic-Auth are captured or
## not.
const default_capture_password = F &redef;
type Info: record {
@ -36,8 +37,8 @@ export {
## URI used in the request.
uri: string &log &optional;
## Value of the "referer" header. The comment is deliberately
## misspelled like the standard declares, but the name used here is
## "referrer" spelled correctly.
## misspelled like the standard declares, but the name used here
## is "referrer" spelled correctly.
referrer: string &log &optional;
## Value of the User-Agent header from the client.
user_agent: string &log &optional;
@ -55,7 +56,8 @@ export {
info_code: count &log &optional;
## Last seen 1xx informational reply message returned by the server.
info_msg: string &log &optional;
## Filename given in the Content-Disposition header sent by the server.
## Filename given in the Content-Disposition header sent by the
## server.
filename: string &log &optional;
## A set of indicators of various attributes discovered and
## related to a particular request/response pair.

16
scripts/base/protocols/http/utils.bro
View file

@ -6,8 +6,8 @@
module HTTP;
export {
## Given a string containing a series of key-value pairs separated by "=",
## this function can be used to parse out all of the key names.
## Given a string containing a series of key-value pairs separated
## by "=", this function can be used to parse out all of the key names.
##
## data: The raw data, such as a URL or cookie value.
##
@ -17,20 +17,20 @@ export {
## Returns: A vector of strings containing the keys.
global extract_keys: function(data: string, kv_splitter: pattern): string_vec;
## Creates a URL from an :bro:type:`HTTP::Info` record. This should handle
## edge cases such as proxied requests appropriately.
## Creates a URL from an :bro:type:`HTTP::Info` record. This should
## handle edge cases such as proxied requests appropriately.
##
## rec: An :bro:type:`HTTP::Info` record.
##
## Returns: A URL, not prefixed by "http://".
## Returns: A URL, not prefixed by ``"http://"``.
global build_url: function(rec: Info): string;
## Creates a URL from an :bro:type:`HTTP::Info` record. This should handle
## edge cases such as proxied requests appropriately.
## Creates a URL from an :bro:type:`HTTP::Info` record. This should
## handle edge cases such as proxied requests appropriately.
##
## rec: An :bro:type:`HTTP::Info` record.
##
## Returns: A URL prefixed with "http://".
## Returns: A URL prefixed with ``"http://"``.
global build_url_http: function(rec: Info): string;
## Create an extremely shortened representation of a log line.

1
scripts/base/protocols/irc/README Normal file
View file

@ -0,0 +1 @@
Support for Internet Relay Chat (IRC) protocol analysis.

4
scripts/base/protocols/irc/main.bro
View file

@ -15,9 +15,9 @@ export {
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## Nick name given for the connection.
## Nickname given for the connection.
nick: string &log &optional;
## User name given for the connection.
## Username given for the connection.
user: string &log &optional;
## Command given by the client.

1
scripts/base/protocols/modbus/README Normal file
View file

@ -0,0 +1 @@
Support for Modbus protocol analysis.

6
scripts/base/protocols/modbus/main.bro
View file

@ -10,7 +10,7 @@ export {
type Info: record {
## Time of the request.
ts: time &log;
## Unique identifier for the connnection.
## Unique identifier for the connection.
uid: string &log;
## Identifier for the connection.
id: conn_id &log;
@ -20,8 +20,8 @@ export {
exception: string &log &optional;
};
## Event that can be handled to access the Modbus record as it is sent on
## to the logging framework.
## Event that can be handled to access the Modbus record as it is sent
## on to the logging framework.
global log_modbus: event(rec: Info);
}

1
scripts/base/protocols/pop3/README Normal file
View file

@ -0,0 +1 @@
Support for POP3 (Post Office Protocol) protocol analysis.

1
scripts/base/protocols/smtp/README Normal file
View file

@ -0,0 +1 @@
Support for Simple Mail Transfer Protocol (SMTP) analysis.

17
scripts/base/protocols/smtp/main.bro
View file

@ -14,8 +14,8 @@ export {
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## A count to represent the depth of this message transaction in a single
## connection where multiple messages were transferred.
## A count to represent the depth of this message transaction in
## a single connection where multiple messages were transferred.
trans_depth: count &log;
## Contents of the Helo header.
helo: string &log &optional;
@ -37,7 +37,7 @@ export {
in_reply_to: string &log &optional;
## Contents of the Subject header.
subject: string &log &optional;
## Contents of the X-Origininating-IP header.
## Contents of the X-Originating-IP header.
x_originating_ip: addr &log &optional;
## Contents of the first Received header.
first_received: string &log &optional;
@ -50,7 +50,8 @@ export {
## Value of the User-Agent header from the client.
user_agent: string &log &optional;
## Indicates if the "Received: from" headers should still be processed.
## Indicates if the "Received: from" headers should still be
## processed.
process_received_from: bool &default=T;
## Indicates if client activity has been seen, but not yet logged.
has_client_activity: bool &default=F;
@ -58,9 +59,9 @@ export {
type State: record {
helo: string &optional;
## Count the number of individual messages transmitted during this
## SMTP session. Note, this is not the number of recipients, but the
## number of message bodies transferred.
## Count the number of individual messages transmitted during
## this SMTP session. Note, this is not the number of
## recipients, but the number of message bodies transferred.
messages_transferred: count &default=0;
pending_messages: set[Info] &optional;
@ -290,7 +291,7 @@ function describe(rec: Info): string
{
if ( |rec$subject| > 20 )
{
abbrev_subject = rec$subject[0:20] + "...";
abbrev_subject = rec$subject[0:21] + "...";
}
}

1
scripts/base/protocols/socks/README Normal file
View file

@ -0,0 +1 @@
Support for Socket Secure (SOCKS) protocol analysis.

8
scripts/base/protocols/socks/main.bro
View file

@ -9,17 +9,19 @@ export {
type Info: record {
## Time when the proxy connection was first detected.
ts: time &log;
## Unique ID for the tunnel - may correspond to connection uid or be non-existent.
## Unique ID for the tunnel - may correspond to connection uid
## or be non-existent.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## Protocol version of SOCKS.
version: count &log;
## Username for the proxy if extracted from the network..
## Username for the proxy if extracted from the network.
user: string &log &optional;
## Server status for the attempt at using the proxy.
status: string &log &optional;
## Client requested SOCKS address. Could be an address, a name or both.
## Client requested SOCKS address. Could be an address, a name
## or both.
request: SOCKS::Address &log &optional;
## Client requested port.
request_p: port &log &optional;

1
scripts/base/protocols/ssh/README Normal file
View file

@ -0,0 +1 @@
Support for Secure Shell (SSH) protocol analysis.

36
scripts/base/protocols/ssh/main.bro
View file

@ -25,8 +25,8 @@ export {
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
## Indicates if the login was heuristically guessed to be "success",
## "failure", or "undetermined".
## Indicates if the login was heuristically guessed to be
## "success", "failure", or "undetermined".
status: string &log &default="undetermined";
## Direction of the connection. If the client was a local host
## logging into an external host, this would be OUTBOUND. INBOUND
@ -37,12 +37,6 @@ export {
client: string &log &optional;
## Software string from the server.
server: string &log &optional;
## Amount of data returned from the server. This is currently
## the only measure of the success heuristic and it is logged to
## assist analysts looking at the logs to make their own determination
## about the success on a case-by-case basis.
resp_size: count &log &default=0;
## Indicate if the SSH session is done being watched.
done: bool &default=F;
};
@ -107,10 +101,10 @@ function check_ssh_connection(c: connection, done: bool)
# this matches the conditions for a failed login. Failed
# logins are only detected at connection state removal.
if ( # Require originators to have sent at least 50 bytes.
c$orig$size > 50 &&
if ( # Require originators and responders to have sent at least 50 bytes.
c$orig$size > 50 && c$resp$size > 50 &&
# Responders must be below 4000 bytes.
c$resp$size < 4000 &&
c$resp$size < authentication_data_size &&
# Responder must have sent fewer than 40 packets.
c$resp$num_pkts < 40 &&
# If there was a content gap we can't reliably do this heuristic.
@ -122,7 +116,7 @@ function check_ssh_connection(c: connection, done: bool)
event SSH::heuristic_failed_login(c);
}
if ( c$resp$size > authentication_data_size )
if ( c$resp$size >= authentication_data_size )
{
c$ssh$status = "success";
event SSH::heuristic_successful_login(c);
@ -132,7 +126,7 @@ function check_ssh_connection(c: connection, done: bool)
{
# If this connection is still being tracked, then it's possible
# to watch for it to be a successful connection.
if ( c$resp$size > authentication_data_size )
if ( c$resp$size >= authentication_data_size )
{
c$ssh$status = "success";
event SSH::heuristic_successful_login(c);
@ -150,8 +144,6 @@ function check_ssh_connection(c: connection, done: bool)
# after detection is done.
c$ssh$done=T;
Log::write(SSH::LOG, c$ssh);
if ( skip_processing_after_detection )
{
# Stop watching this connection, we don't care about it anymore.
@ -161,10 +153,24 @@ function check_ssh_connection(c: connection, done: bool)
}
event heuristic_successful_login(c: connection) &priority=-5
{
Log::write(SSH::LOG, c$ssh);
}
event heuristic_failed_login(c: connection) &priority=-5
{
Log::write(SSH::LOG, c$ssh);
}
event connection_state_remove(c: connection) &priority=-5
{
if ( c?$ssh )
{
check_ssh_connection(c, T);
if ( c$ssh$status == "undetermined" )
Log::write(SSH::LOG, c$ssh);
}
}
event ssh_watcher(c: connection)

1
scripts/base/protocols/ssl/README Normal file
View file

@ -0,0 +1 @@
Support for Secure Sockets Layer (SSL) protocol analysis.

278
scripts/base/protocols/ssl/consts.bro
View file

@ -23,7 +23,7 @@ export {
} &default=function(i: count):string { return fmt("unknown-%d", i); };
## Mapping between numeric codes and human readable strings for alert
## descriptions..
## descriptions.
const alert_descriptions: table[count] of string = {
[0] = "close_notify",
[10] = "unexpected_message",
@ -78,6 +78,9 @@ export {
[13] = "signature_algorithms",
[14] = "use_srtp",
[15] = "heartbeat",
[16] = "application_layer_protocol_negotiation",
[17] = "status_request_v2",
[18] = "signed_certificate_timestamp",
[35] = "SessionTicket TLS",
[40] = "extended_random",
[13172] = "next_protocol_negotiation",
@ -178,6 +181,21 @@ export {
const TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
const TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C;
const TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D;
# draft-ietf-tls-openpgp-keys-06
const TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD = 0x0072;
const TLS_DHE_DSS_WITH_AES_128_CBC_RMD = 0x0073;
const TLS_DHE_DSS_WITH_AES_256_CBC_RMD = 0x0074;
const TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD = 0x0077;
const TLS_DHE_RSA_WITH_AES_128_CBC_RMD = 0x0078;
const TLS_DHE_RSA_WITH_AES_256_CBC_RMD = 0x0079;
const TLS_RSA_WITH_3DES_EDE_CBC_RMD = 0x007C;
const TLS_RSA_WITH_AES_128_CBC_RMD = 0x007D;
const TLS_RSA_WITH_AES_256_CBC_RMD = 0x007E;
# draft-chudov-cryptopro-cptls-04
const TLS_GOSTR341094_WITH_28147_CNT_IMIT = 0x0080;
const TLS_GOSTR341001_WITH_28147_CNT_IMIT = 0x0081;
const TLS_GOSTR341094_WITH_NULL_GOSTR3411 = 0x0082;
const TLS_GOSTR341001_WITH_NULL_GOSTR3411 = 0x0083;
const TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
const TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
const TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
@ -244,6 +262,7 @@ export {
const TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C3;
const TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C4;
const TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 = 0x00C5;
# RFC 4492
const TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xC001;
const TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xC002;
const TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xC003;
@ -303,6 +322,126 @@ export {
const TLS_ECDHE_PSK_WITH_NULL_SHA = 0xC039;
const TLS_ECDHE_PSK_WITH_NULL_SHA256 = 0xC03A;
const TLS_ECDHE_PSK_WITH_NULL_SHA384 = 0xC03B;
# RFC 6209
const TLS_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC03C;
const TLS_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC03D;
const TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC03E;
const TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC03F;
const TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC040;
const TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC041;
const TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 = 0xC042;
const TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 = 0xC043;
const TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC044;
const TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC045;
const TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 = 0xC046;
const TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 = 0xC047;
const TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC048;
const TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC049;
const TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 = 0xC04A;
const TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 = 0xC04B;
const TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04C;
const TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04D;
const TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 = 0xC04E;
const TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 = 0xC04F;
const TLS_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC050;
const TLS_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC051;
const TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC052;
const TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC053;
const TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC054;
const TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC055;
const TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC056;
const TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC057;
const TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 = 0xC058;
const TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 = 0xC059;
const TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 = 0xC05A;
const TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 = 0xC05B;
const TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05C;
const TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05D;
const TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 = 0xC05E;
const TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 = 0xC05F;
const TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC060;
const TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC061;
const TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 = 0xC062;
const TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 = 0xC063;
const TLS_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC064;
const TLS_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC065;
const TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC066;
const TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC067;
const TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC068;
const TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC069;
const TLS_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06A;
const TLS_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06B;
const TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06C;
const TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06D;
const TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 = 0xC06E;
const TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 = 0xC06F;
const TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 = 0xC070;
const TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 = 0xC071;
# RFC 6367
const TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC072;
const TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC073;
const TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC074;
const TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC075;
const TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC076;
const TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC077;
const TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xC078;
const TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 = 0xC079;
const TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07A;
const TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07B;
const TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07C;
const TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07D;
const TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC07E;
const TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC07F;
const TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC080;
const TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC081;
const TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 = 0xC082;
const TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 = 0xC083;
const TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 = 0xC084;
const TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 = 0xC085;
const TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC086;
const TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC087;
const TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC088;
const TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC089;
const TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08A;
const TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08B;
const TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08C;
const TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08D;
const TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC08E;
const TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC08F;
const TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC090;
const TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC091;
const TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 = 0xC092;
const TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 = 0xC093;
const TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC094;
const TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC095;
const TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC096;
const TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC097;
const TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC098;
const TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC099;
const TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 = 0xC09A;
const TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 = 0xC09B;
# RFC 6655
const TLS_RSA_WITH_AES_128_CCM = 0xC09C;
const TLS_RSA_WITH_AES_256_CCM = 0xC09D;
const TLS_DHE_RSA_WITH_AES_128_CCM = 0xC09E;
const TLS_DHE_RSA_WITH_AES_256_CCM = 0xC09F;
const TLS_RSA_WITH_AES_128_CCM_8 = 0xC0A0;
const TLS_RSA_WITH_AES_256_CCM_8 = 0xC0A1;
const TLS_DHE_RSA_WITH_AES_128_CCM_8 = 0xC0A2;
const TLS_DHE_RSA_WITH_AES_256_CCM_8 = 0xC0A3;
const TLS_PSK_WITH_AES_128_CCM = 0xC0A4;
const TLS_PSK_WITH_AES_256_CCM = 0xC0A5;
const TLS_DHE_PSK_WITH_AES_128_CCM = 0xC0A6;
const TLS_DHE_PSK_WITH_AES_256_CCM = 0xC0A7;
const TLS_PSK_WITH_AES_128_CCM_8 = 0xC0A8;
const TLS_PSK_WITH_AES_256_CCM_8 = 0xC0A9;
const TLS_PSK_DHE_WITH_AES_128_CCM_8 = 0xC0AA;
const TLS_PSK_DHE_WITH_AES_256_CCM_8 = 0xC0AB;
# draft-agl-tls-chacha20poly1305-02
const TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC13;
const TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC14;
const TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCC15;
const SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xFEFE;
const SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xFEFF;
const SSL_RSA_FIPS_WITH_DES_CBC_SHA_2 = 0xFFE1;
@ -314,8 +453,8 @@ export {
const TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF;
## This is a table of all known cipher specs. It can be used for
## detecting unknown ciphers and for converting the cipher spec constants
## into a human readable format.
## detecting unknown ciphers and for converting the cipher spec
## constants into a human readable format.
const cipher_desc: table[count] of string = {
[SSLv20_CK_RC4_128_EXPORT40_WITH_MD5] =
"SSLv20_CK_RC4_128_EXPORT40_WITH_MD5",
@ -410,6 +549,19 @@ export {
[TLS_DHE_RSA_WITH_AES_256_CBC_SHA256] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
[TLS_DH_ANON_WITH_AES_128_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_128_CBC_SHA256",
[TLS_DH_ANON_WITH_AES_256_CBC_SHA256] = "TLS_DH_ANON_WITH_AES_256_CBC_SHA256",
[TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD",
[TLS_DHE_DSS_WITH_AES_128_CBC_RMD] = "TLS_DHE_DSS_WITH_AES_128_CBC_RMD",
[TLS_DHE_DSS_WITH_AES_256_CBC_RMD] = "TLS_DHE_DSS_WITH_AES_256_CBC_RMD",
[TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD",
[TLS_DHE_RSA_WITH_AES_128_CBC_RMD] = "TLS_DHE_RSA_WITH_AES_128_CBC_RMD",
[TLS_DHE_RSA_WITH_AES_256_CBC_RMD] = "TLS_DHE_RSA_WITH_AES_256_CBC_RMD",
[TLS_RSA_WITH_3DES_EDE_CBC_RMD] = "TLS_RSA_WITH_3DES_EDE_CBC_RMD",
[TLS_RSA_WITH_AES_128_CBC_RMD] = "TLS_RSA_WITH_AES_128_CBC_RMD",
[TLS_RSA_WITH_AES_256_CBC_RMD] = "TLS_RSA_WITH_AES_256_CBC_RMD",
[TLS_GOSTR341094_WITH_28147_CNT_IMIT] = "TLS_GOSTR341094_WITH_28147_CNT_IMIT",
[TLS_GOSTR341001_WITH_28147_CNT_IMIT] = "TLS_GOSTR341001_WITH_28147_CNT_IMIT",
[TLS_GOSTR341094_WITH_NULL_GOSTR3411] = "TLS_GOSTR341094_WITH_NULL_GOSTR3411",
[TLS_GOSTR341001_WITH_NULL_GOSTR3411] = "TLS_GOSTR341001_WITH_NULL_GOSTR3411",
[TLS_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",
[TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",
[TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",
@ -535,10 +687,130 @@ export {
[TLS_ECDHE_PSK_WITH_NULL_SHA] = "TLS_ECDHE_PSK_WITH_NULL_SHA",
[TLS_ECDHE_PSK_WITH_NULL_SHA256] = "TLS_ECDHE_PSK_WITH_NULL_SHA256",
[TLS_ECDHE_PSK_WITH_NULL_SHA384] = "TLS_ECDHE_PSK_WITH_NULL_SHA384",
[TLS_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_RSA_WITH_ARIA_128_CBC_SHA256",
[TLS_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_RSA_WITH_ARIA_256_CBC_SHA384",
[TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256] = "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",
[TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384] = "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",
[TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",
[TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",
[TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256] = "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",
[TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384] = "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",
[TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",
[TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",
[TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256] = "TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256",
[TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384] = "TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384",
[TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",
[TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",
[TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",
[TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",
[TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",
[TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",
[TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",
[TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",
[TLS_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_RSA_WITH_ARIA_128_GCM_SHA256",
[TLS_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_RSA_WITH_ARIA_256_GCM_SHA384",
[TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",
[TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",
[TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",
[TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",
[TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",
[TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",
[TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256] = "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",
[TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384] = "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",
[TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256] = "TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256",
[TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384] = "TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384",
[TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",
[TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",
[TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",
[TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",
[TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",
[TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",
[TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",
[TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",
[TLS_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_PSK_WITH_ARIA_128_CBC_SHA256",
[TLS_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_PSK_WITH_ARIA_256_CBC_SHA384",
[TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",
[TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",
[TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",
[TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",
[TLS_PSK_WITH_ARIA_128_GCM_SHA256] = "TLS_PSK_WITH_ARIA_128_GCM_SHA256",
[TLS_PSK_WITH_ARIA_256_GCM_SHA384] = "TLS_PSK_WITH_ARIA_256_GCM_SHA384",
[TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",
[TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",
[TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",
[TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",
[TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",
[TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",
[TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256] = "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",
[TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384] = "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",
[TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256] = "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",
[TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384] = "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",
[TLS_RSA_WITH_AES_128_CCM] = "TLS_RSA_WITH_AES_128_CCM",
[TLS_RSA_WITH_AES_256_CCM] = "TLS_RSA_WITH_AES_256_CCM",
[TLS_DHE_RSA_WITH_AES_128_CCM] = "TLS_DHE_RSA_WITH_AES_128_CCM",
[TLS_DHE_RSA_WITH_AES_256_CCM] = "TLS_DHE_RSA_WITH_AES_256_CCM",
[TLS_RSA_WITH_AES_128_CCM_8] = "TLS_RSA_WITH_AES_128_CCM_8",
[TLS_RSA_WITH_AES_256_CCM_8] = "TLS_RSA_WITH_AES_256_CCM_8",
[TLS_DHE_RSA_WITH_AES_128_CCM_8] = "TLS_DHE_RSA_WITH_AES_128_CCM_8",
[TLS_DHE_RSA_WITH_AES_256_CCM_8] = "TLS_DHE_RSA_WITH_AES_256_CCM_8",
[TLS_PSK_WITH_AES_128_CCM] = "TLS_PSK_WITH_AES_128_CCM",
[TLS_PSK_WITH_AES_256_CCM] = "TLS_PSK_WITH_AES_256_CCM",
[TLS_DHE_PSK_WITH_AES_128_CCM] = "TLS_DHE_PSK_WITH_AES_128_CCM",
[TLS_DHE_PSK_WITH_AES_256_CCM] = "TLS_DHE_PSK_WITH_AES_256_CCM",
[TLS_PSK_WITH_AES_128_CCM_8] = "TLS_PSK_WITH_AES_128_CCM_8",
[TLS_PSK_WITH_AES_256_CCM_8] = "TLS_PSK_WITH_AES_256_CCM_8",
[TLS_PSK_DHE_WITH_AES_128_CCM_8] = "TLS_PSK_DHE_WITH_AES_128_CCM_8",
[TLS_PSK_DHE_WITH_AES_256_CCM_8] = "TLS_PSK_DHE_WITH_AES_256_CCM_8",
[TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
[TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256] = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
[SSL_RSA_FIPS_WITH_DES_CBC_SHA] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA",
[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",
[SSL_RSA_FIPS_WITH_DES_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA_2",
[SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA_2",
[SSL_RSA_WITH_RC2_CBC_MD5] = "SSL_RSA_WITH_RC2_CBC_MD5",
[SSL_RSA_WITH_IDEA_CBC_MD5] = "SSL_RSA_WITH_IDEA_CBC_MD5",
[SSL_RSA_WITH_DES_CBC_MD5] = "SSL_RSA_WITH_DES_CBC_MD5",
[SSL_RSA_WITH_3DES_EDE_CBC_MD5] = "SSL_RSA_WITH_3DES_EDE_CBC_MD5",
[TLS_EMPTY_RENEGOTIATION_INFO_SCSV] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
} &default=function(i: count):string { return fmt("unknown-%d", i); };
## Mapping between the constants and string values for SSL/TLS errors.

18
scripts/base/protocols/ssl/main.bro
View file

@ -26,7 +26,8 @@ export {
session_id: string &log &optional;
## Subject of the X.509 certificate offered by the server.
subject: string &log &optional;
## Subject of the signer of the X.509 certificate offered by the server.
## Subject of the signer of the X.509 certificate offered by the
## server.
issuer_subject: string &log &optional;
## NotValidBefore field value from the server certificate.
not_valid_before: time &log &optional;
@ -37,7 +38,8 @@ export {
## Subject of the X.509 certificate offered by the client.
client_subject: string &log &optional;
## Subject of the signer of the X.509 certificate offered by the client.
## Subject of the signer of the X.509 certificate offered by the
## client.
client_issuer_subject: string &log &optional;
## Full binary server certificate stored in DER format.
@ -58,8 +60,8 @@ export {
analyzer_id: count &optional;
};
## The default root CA bundle. By loading the
## mozilla-ca-list.bro script it will be set to Mozilla's root CA list.
## The default root CA bundle. By default, the mozilla-ca-list.bro
## script sets this to Mozilla's root CA list.
const root_certs: table[string] of string = {} &redef;
## If true, detach the SSL analyzer from the connection to prevent
@ -67,8 +69,8 @@ export {
## (especially with large file transfers).
const disable_analyzer_after_detection = T &redef;
## Delays an SSL record for a specific token: the record will not be logged
## as longs the token exists or until 15 seconds elapses.
## Delays an SSL record for a specific token: the record will not be
## logged as long as the token exists or until 15 seconds elapses.
global delay_log: function(info: Info, token: string);
## Undelays an SSL record for a previously inserted token, allowing the
@ -151,7 +153,7 @@ function finish(c: connection)
disable_analyzer(c$id, c$ssl$analyzer_id);
}
event ssl_client_hello(c: connection, version: count, possible_ts: time, session_id: string, ciphers: count_set) &priority=5
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec) &priority=5
{
set_session(c);
@ -160,7 +162,7 @@ event ssl_client_hello(c: connection, version: count, possible_ts: time, session
c$ssl$session_id = bytestring_to_hexstr(session_id);
}
event ssl_server_hello(c: connection, version: count, possible_ts: time, session_id: string, cipher: count, comp_method: count) &priority=5
event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=5
{
set_session(c);

27
scripts/base/protocols/ssl/mozilla-ca-list.bro
View file

File diff suppressed because one or more lines are too long

1
scripts/base/protocols/syslog/README Normal file
View file

@ -0,0 +1 @@
Support for Syslog protocol analysis.