Do not set the service field in the bro script but
use the protocol confirmation paradigm.
Protocol is considered confirmed if both a
succesful client and server banner have been
parsed.
This analyzer parses the Remote Frame Buffer
protocol, usually referred to as the 'VNC protocol'.
It supports several dialects (3.3, 3.7, 3.8) and
also handles the Apple Remote Desktop variant.
It will log such facts as client/server versions,
authentication method used, authentication result,
height, width and name of the shared screen.
It also includes two testcases.
Todo: Apple Remote Desktop seems to have some
bytes prepended to the screen name. This is
not interepreted correctly.
- Previously there was an (incorrect) assumption that a TCP conneciton
would only ever have one DCE_RPC binding. That assumption was
incorrect and with named pipes over SMB there can be multiple
concurrent DCE_RPC bindings. This commit fixes that assumption by
dynamically creating a new DCE_RPC analyzer whenever a new, unknown
binding is created.
- There is a crash fix in how string handling in the bind_ack message
was done.
- Named pipe handling over SMB1 is still not working quite right
and problems will show up with multiplexed DCE_RPC bindings.
- Looser coupling between these analyzers.
- New ntlm.log (still pretty early)
- Improved string handling for NTLM (convert UTF16 to UTF8)
- SMB2 analyzer now supports GSSAPI.
- Improved abstraction of DCE_RPC operations (still not finished)
- Lots of whitespace cleanup.
- Binding context versions are provided correctly now.
- RPC stubs are no longer provided and instead only the length is given.
- Some parsing problems related to handling the optional
auth fields in RPC messages are fixed. This removes some
dpd log messages I was seeing.
There were some cases where the log would be missing a field
or data wouldn't get sent to file analysis. At least some of
this is fixed now and I get confused a bit less when I look
at the logs now.
Also, I made the default handling "FILE" so that things like
FILE_UNKNOWN wouldn't show up in the logs so regularly. It's
technically correct that way, but it doesn't look good and it's
correct as FILE often enough that it make sense to make it the
default I think.
- It works with DCE/RPC over SMB1+2 now.
- Using named pipes in 1+2 and the transaction cmd in SMB1.
- Base scripts based on work by Josh Liburdi.
- New dce_rpc.log. Feedback on how to make this log more compact
and useful would be appreciated.
Separate the former BrokerComm and BrokerStore portions of the script
because these files will be much larger when script wrappers for BIFs are
written.
The intel-framework now supports the new indicator type Intel::SUBNET.
As subnets are matched against seen addresses, the field matched was
introduced to indicate which indicator types caused the hit. A testcase
for subents was added and the old ones have been updated accordingly.
To simplify meta data handling inside the intel framework and avoid
duplicate insertion of meta data on update, meta data is stored in a
table indexed by meta data source.
BIT-1550 #merged
* origin/topic/johanna/netcontrol: (72 commits)
Update baselines and news
Move prefixtable back to all IPv6 internal handling.
NetControl: Add functions to search for rules affecting IPs/subnets
Add check_subnet bif that allows exact membership test for subnet tables.
Rewrite internal handling of rules.
Add bif that allows searching for all matching subnets in table.
Add signaling of succesful initialization of plugins to NetControl.
Add rule hooks to the acld plugin.
Add new logfiles for shunting and drops to netcontrol
Extend NetControl logging and fix bugs.
Update OpenFlow API and events.
small acld plugin fix
Revert "introduce &weaken attribute"
Fix crash when printing type of recursive structures.
Testcase for crash when a record contains a function referencing a record.
Rename Pacf to NetControl
fix acld plugin to use address instead of subnet (and add functions for conversion)
implement quarantine
miscelaneous missing bits and pieces
Acld implementation for Pacf - Bro side.
...
The server-reported file size was being collected poorly and if
a file name had a number in it, that was reported as the file
size instead of the actual size.
A new test is included to avoid reintroducing the problem.
Adds the functions
NetControl::find_rules_addr and NetControl::fund_rules_subnet
which return a vector containing all rules affecting a certain IP or
subnet.
This has no user-facing changes. It makes the internal handling of rules
much easier (no crazy duplicate rules in case our rules are added to
several backends).
It also fixes several open ends and small bugs in the process.
- Actually get the path into the smb_files.log now.
- When a share root is having the "create" message used on it,
instead of giving a null file name, now give a special
indicator of "<share_root>".
- Update test baselines.
This does not really have many user-facing changes. The one big change
is that users now should initialize plugins in the
NetControl::init()
event instead of bro_init.
Once all plugins finished initializing and the NetControl framework
starts operations, the NetControl::init_done() event is raised.
Rules that are sent to NetControl before the plugins have finished
initializing are ignored - this is important when several plugins that
require external connections have to be initialized at the beginning.
Without this delay, rules could end up at the wrong plugin.
The hook name is NetControl::acld_rule_policy and allows the
modification of acld rules before they are sent out to the network.
This allows, e.g. network policies to use nullzero instead of drop in
certain circumstances.
* 'patch-4' of https://github.com/aeppert/bro:
(BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection"
I also removed the old disable_analyzer_after_detection option
completely - if someone wants that, they can just catch the event
themselves and call skip_further_processing.
I also adjusted the ssh test case to contain conn.log to prevent
re-addition of this problem in the future.
BIT-1545 #merged
