mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
Better software version parsing.
* $addl field now parsed out in many cases. * A few new tests for web browser versions. * Browers user-agents need preprocessed though. * All tests pass.
This commit is contained in:
parent
c212f28130
commit
febfd4cf04
2 changed files with 40 additions and 14 deletions
|
@ -28,9 +28,6 @@ export {
|
||||||
type Type: enum {
|
type Type: enum {
|
||||||
UNKNOWN,
|
UNKNOWN,
|
||||||
OPERATING_SYSTEM,
|
OPERATING_SYSTEM,
|
||||||
WEB_SERVER,
|
|
||||||
WEB_BROWSER,
|
|
||||||
WEB_BROWSER_PLUGIN,
|
|
||||||
WEB_APPLICATION,
|
WEB_APPLICATION,
|
||||||
MAIL_SERVER,
|
MAIL_SERVER,
|
||||||
MAIL_CLIENT,
|
MAIL_CLIENT,
|
||||||
|
@ -104,6 +101,8 @@ event bro_init()
|
||||||
Log::add_default_filter("SOFTWARE");
|
Log::add_default_filter("SOFTWARE");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Don't even try to understand this now, just make sure the tests are
|
||||||
|
# working.
|
||||||
function default_parse(unparsed_version: string,
|
function default_parse(unparsed_version: string,
|
||||||
host: addr,
|
host: addr,
|
||||||
software_type: Type): Info
|
software_type: Type): Info
|
||||||
|
@ -113,16 +112,32 @@ function default_parse(unparsed_version: string,
|
||||||
|
|
||||||
# The regular expression should match the complete version number
|
# The regular expression should match the complete version number
|
||||||
# and software name.
|
# and software name.
|
||||||
local version_parts = split_all(unparsed_version, /[0-9\/\-\._ ]{2,}/);
|
local version_parts = split_n(unparsed_version, /[0-9\/\-\._ ]{2,}/, T, 1);
|
||||||
if ( |version_parts| >= 2 )
|
if ( |version_parts| >= 2 )
|
||||||
{
|
{
|
||||||
software_name = version_parts[1];
|
software_name = version_parts[1];
|
||||||
# Remove the name/version separator because it's left at the begging
|
# Remove the name/version separator because it's left at the begining
|
||||||
# of the version number from the previous split_all.
|
# of the version number from the previous split_all.
|
||||||
local sv = sub(version_parts[2], /^./, "");
|
local sv = version_parts[2];
|
||||||
local version_numbers = split_n(sv, /[\-\._, \[\(]/, F, 4);
|
if ( /^[\/\-\._ ]/ in sv )
|
||||||
if ( |version_numbers| > 3 )
|
sv = sub(version_parts[2], /^[\/\-\._ ]/, "");
|
||||||
v$addl = version_numbers[4];
|
local version_numbers = split_n(sv, /[\-\._,\[\(\{ ]/, F, 4);
|
||||||
|
local addl = "";
|
||||||
|
if ( 4 in version_numbers && version_numbers[4] != "" )
|
||||||
|
addl = version_numbers[4];
|
||||||
|
else if ( 3 in version_parts && version_parts[3] != "" )
|
||||||
|
{
|
||||||
|
# TODO: there's a bug with do_split!
|
||||||
|
local vp = split_n(version_parts[3], /[\-\._,\[\]\(\)\{\} ]/, F, 2);
|
||||||
|
if ( |vp| >= 1 && vp[1] != "" )
|
||||||
|
addl = vp[1];
|
||||||
|
else if ( |vp| >= 2 )
|
||||||
|
addl = vp[2];
|
||||||
|
else
|
||||||
|
addl = version_parts[3];
|
||||||
|
}
|
||||||
|
v$addl = addl;
|
||||||
|
|
||||||
if ( |version_numbers| >= 3 )
|
if ( |version_numbers| >= 3 )
|
||||||
v$minor2 = to_count(version_numbers[3]);
|
v$minor2 = to_count(version_numbers[3]);
|
||||||
if ( |version_numbers| >= 2 )
|
if ( |version_numbers| >= 2 )
|
||||||
|
|
|
@ -10,15 +10,26 @@ global matched_software: table[string] of Software::Info = {
|
||||||
["OpenSSH_5.2"] =
|
["OpenSSH_5.2"] =
|
||||||
[$name="OpenSSH", $version=[$major=5,$minor=2,$minor2=0], $ts=ts],
|
[$name="OpenSSH", $version=[$major=5,$minor=2,$minor2=0], $ts=ts],
|
||||||
["Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2"] =
|
["Apache/2.0.63 (Unix) mod_auth_kerb/5.3 mod_ssl/2.0.63 OpenSSL/0.9.7a mod_fastcgi/2.4.2"] =
|
||||||
[$name="Apache", $version=[$major=2,$minor=0,$minor2=63], $ts=ts],
|
[$name="Apache", $version=[$major=2,$minor=0,$minor2=63,$addl="Unix"], $ts=ts],
|
||||||
["Apache/1.3.19 (Unix)"] =
|
["Apache/1.3.19 (Unix)"] =
|
||||||
[$name="Apache", $version=[$major=1,$minor=3,$minor2=19], $ts=ts],
|
[$name="Apache", $version=[$major=1,$minor=3,$minor2=19,$addl="Unix"], $ts=ts],
|
||||||
|
# $addl is not quite right here, but it's close enough.
|
||||||
["ProFTPD 1.2.5rc1 Server (Debian)"] =
|
["ProFTPD 1.2.5rc1 Server (Debian)"] =
|
||||||
[$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5], $ts=ts],
|
[$name="ProFTPD", $version=[$major=1,$minor=2,$minor2=5,$addl="rc"], $ts=ts],
|
||||||
["wu-2.4.2-academ[BETA-18-VR14](1)"] =
|
["wu-2.4.2-academ[BETA-18-VR14](1)"] =
|
||||||
[$name="wu", $version=[$major=2,$minor=4,$minor2=2], $ts=ts],
|
[$name="wu", $version=[$major=2,$minor=4,$minor2=2,$addl="academ"], $ts=ts],
|
||||||
["wu-2.6.2(1)"] =
|
["wu-2.6.2(1)"] =
|
||||||
[$name="wu", $version=[$major=2,$minor=6,$minor2=2], $ts=ts],
|
[$name="wu", $version=[$major=2,$minor=6,$minor2=2,$addl="1"], $ts=ts],
|
||||||
|
["Java1.2.2-JDeveloper"] =
|
||||||
|
[$name="Java", $version=[$major=1,$minor=2,$minor2=2,$addl="JDeveloper"], $ts=ts],
|
||||||
|
["Java/1.6.0_13"] =
|
||||||
|
[$name="Java", $version=[$major=1,$minor=6,$minor2=0,$addl="13"], $ts=ts],
|
||||||
|
# Web Browers are going to have to be pre processed before sending here.
|
||||||
|
# They can't be handled generically by the software framework.
|
||||||
|
["Firefox/3.6.7"] =
|
||||||
|
[$name="Firefox", $version=[$major=3,$minor=6,$minor2=7], $ts=ts],
|
||||||
|
["Firefox/4.0b9pre"] =
|
||||||
|
[$name="Firefox", $version=[$major=4,$minor=0,$minor2=0,$addl="b9pre"], $ts=ts],
|
||||||
};
|
};
|
||||||
|
|
||||||
event bro_init()
|
event bro_init()
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue