mirror of
https://github.com/zeek/zeek.git
synced 2025-10-14 20:48:21 +00:00
597a4d6704
- policy/ renamed to scripts/ - By default BROPATH now contains: - scripts/ - scripts/policy - scripts/site - *Nearly* all tests pass. - All of scripts/base/ is loaded by main.cc - Can be disabled by setting $BRO_NO_BASE_SCRIPTS - Scripts in scripts/base/ don't use relative path loading to ease use of BRO_NO_BASE_SCRIPTS (to copy and paste that script). - The scripts in scripts/base/protocols/ only (or soon will only) do logging and state building. - The scripts in scripts/base/frameworks/ add functionality without causing any additional overhead. - All "detection" activity happens through scripts in scripts/policy/. - Communications framework modified temporarily to need an environment variable to actually enable (ENABLE_COMMUNICATION=1) - This is so the communications framework can be loaded as part of the base without causing trouble when it's not needed. - This will be removed once a resolution to ticket #540 is reached.
79 lines
2.7 KiB
Text
79 lines
2.7 KiB
Text
##! This script feeds software detected through email into the software
|
|
##! framework. Mail clients and webmail interfaces are the only thing
|
|
##! currently detected.
|
|
##!
|
|
##! TODO:
|
|
##! * Find some heuristic to determine if email was sent through
|
|
##! a MS Exhange webmail interface as opposed to a desktop client.
|
|
|
|
module SMTP;
|
|
|
|
export {
|
|
redef enum Software::Type += {
|
|
MAIL_CLIENT,
|
|
MAIL_SERVER,
|
|
WEBMAIL_SERVER
|
|
};
|
|
|
|
redef record Info += {
|
|
## Boolean indicator of if the message was sent through a webmail
|
|
## interface.
|
|
is_webmail: bool &log &default=F;
|
|
};
|
|
|
|
## Assuming that local mail servers are more trustworthy with the headers
|
|
## they insert into messages envelopes, this default makes Bro not attempt
|
|
## to detect software in inbound message bodies. If mail coming in from
|
|
## external addresses gives incorrect data in the Received headers, it
|
|
## could populate your SOFTWARE logging stream with incorrect data.
|
|
## If you would like to detect mail clients for incoming messages
|
|
## (network traffic originating from a non-local address), set this
|
|
## variable to EXTERNAL_HOSTS or ALL_HOSTS.
|
|
const detect_clients_in_messages_from = LOCAL_HOSTS &redef;
|
|
|
|
## A regular expression to match USER-AGENT-like headers to find if a
|
|
## message was sent with a webmail interface.
|
|
const webmail_user_agents =
|
|
/^iPlanet Messenger/
|
|
| /^Sun Java\(tm\) System Messenger Express/
|
|
| /\(IMP\)/ # Horde Internet Messaging Program
|
|
| /^SquirrelMail/
|
|
| /^NeoMail/
|
|
| /ZimbraWebClient/ &redef;
|
|
}
|
|
|
|
event smtp_data(c: connection, is_orig: bool, data: string) &priority=4
|
|
{
|
|
if ( c$smtp$current_header == "USER-AGENT" &&
|
|
webmail_user_agents in c$smtp$user_agent )
|
|
c$smtp$is_webmail = T;
|
|
}
|
|
|
|
event log_smtp(rec: Info)
|
|
{
|
|
# If the MUA provided a user-agent string, kick over to the software framework.
|
|
# This is done here so that the "Received: from" path has a chance to be
|
|
# built since that's where the IP address is pulled from.
|
|
if ( rec?$user_agent )
|
|
{
|
|
local s_type = MAIL_CLIENT;
|
|
local client_ip = rec$path[|rec$path|-1];
|
|
if ( rec$is_webmail )
|
|
{
|
|
s_type = WEBMAIL_SERVER;
|
|
# If the earliest received header indicates that the connection
|
|
# was via HTTP, then that likely means the actual mail software
|
|
# is installed on the second address in the path.
|
|
if ( rec?$first_received && /via HTTP/ in rec$first_received )
|
|
client_ip = rec$path[|rec$path|-2];
|
|
}
|
|
|
|
if ( addr_matches_host(rec$id$orig_h,
|
|
detect_clients_in_messages_from) )
|
|
{
|
|
local s = Software::parse(rec$user_agent, client_ip, s_type);
|
|
Software::found(rec$id, s);
|
|
}
|
|
}
|
|
}
|
|
|