93 lines
4.1 KiB
Plaintext
93 lines
4.1 KiB
Plaintext
|
/**
|
||
|
* This file is part of Rubanetra.
|
||
|
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||
|
*
|
||
|
* This program is free software: you can redistribute it and/or modify
|
||
|
* it under the terms of the GNU General Public License as published by
|
||
|
* the Free Software Foundation, either version 3 of the License, or
|
||
|
* (at your option) any later version.
|
||
|
*
|
||
|
* This program is distributed in the hope that it will be useful,
|
||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
* GNU General Public License for more details.
|
||
|
*
|
||
|
* You should have received a copy of the GNU General Public License
|
||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
*/
|
||
|
import at.jku.fim.rubanetra.protocol.activity.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
|
||
|
import java.util.SortedSet;
|
||
|
import java.util.TreeSet;
|
||
|
import org.xbill.DNS.Record;
|
||
|
import java.net.InetSocketAddress
|
||
|
import java.util.List;
|
||
|
import java.util.Set
|
||
|
import java.util.HashSet;
|
||
|
|
||
|
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||
|
dialect "mvel"
|
||
|
|
||
|
/**
|
||
|
* A logger that may be used for logging custom messages
|
||
|
*/
|
||
|
global org.slf4j.Logger log;
|
||
|
|
||
|
/**
|
||
|
* This experimental rule looks for sequences of three related TCP-activities, i.e.:
|
||
|
* First, it tries to find a "ClientHello" Packet (according to the TLS handshake) followed by a "ServerHello".
|
||
|
* Finally an additional "ChangeCipher" message is expected before classifying this sequence as a TLS/SSL stream, see
|
||
|
* RFC 5246 (https://tools.ietf.org/html/rfc5246).
|
||
|
* The remaining packets will be assembled by the "TLS traffic"-rules (see below)
|
||
|
*/
|
||
|
rule "TLS Handshake"
|
||
|
when
|
||
|
$clientHello : TcpActivity( $payload : payloadHexFormattedDump(), $payload!=null,
|
||
|
TlsActivityHelper.isClientHello(tcp))
|
||
|
$serverHello : TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
|
||
|
destinationSocketAddress==$clientHello.sourceSocketAddress,
|
||
|
TlsActivityHelper.isServerHello(tcp),
|
||
|
this after[0s,10s] $clientHello)
|
||
|
$changeCipher : TcpActivity(sourceSocketAddress==$clientHello.destinationSocketAddress,
|
||
|
destinationSocketAddress==$clientHello.sourceSocketAddress,
|
||
|
TlsActivityHelper.isChangeCipherSpec(tcp),
|
||
|
this after[0s,10s] $serverHello)
|
||
|
|
||
|
exists TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
|
||
|
destinationSocketAddress==$clientHello.sourceSocketAddress,
|
||
|
TlsActivityHelper.isChangeCipherSpec(tcp),
|
||
|
this after[0s,10s] $changeCipher)
|
||
|
not (exists TlsActivity(clientHello==$clientHello || serverHello==$serverHello || changeCipherSpec==$changeCipher))
|
||
|
then
|
||
|
TlsActivity tls = new TlsActivity($clientHello,$serverHello);
|
||
|
tls.setChangeCipherSpec($changeCipher);
|
||
|
insert(tls);
|
||
|
end
|
||
|
|
||
|
/**
|
||
|
* Collects TCP activities for a given TlsActivity (client to server only) based on source/destionation ip/port
|
||
|
*/
|
||
|
rule "TLS traffic (client -> server)"
|
||
|
when
|
||
|
$tls : TlsActivity($clientHello : clientHello)
|
||
|
$tcp : TcpActivity( sourceSocketAddress==$clientHello.sourceSocketAddress,
|
||
|
destinationSocketAddress==$clientHello.destinationSocketAddress)
|
||
|
then
|
||
|
$tls.addClientToServerTcpActivity($tcp);
|
||
|
end
|
||
|
|
||
|
/**
|
||
|
* Collects TCP activities for a given TlsActivity (server to client only) based on source/destionation ip/port
|
||
|
*/
|
||
|
rule "TLS traffic (server -> client)"
|
||
|
when
|
||
|
$tls : TlsActivity($serverHello : serverHello)
|
||
|
$tcp : TcpActivity( sourceSocketAddress==$serverHello.sourceSocketAddress,
|
||
|
destinationSocketAddress==$serverHello.destinationSocketAddress)
|
||
|
then
|
||
|
$tls.addServerToClientTcpActivity($tcp);
|
||
|
end
|