78 lines
2.8 KiB
Plaintext
78 lines
2.8 KiB
Plaintext
|
/**
|
||
|
* This file is part of Rubanetra.
|
||
|
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||
|
*
|
||
|
* This program is free software: you can redistribute it and/or modify
|
||
|
* it under the terms of the GNU General Public License as published by
|
||
|
* the Free Software Foundation, either version 3 of the License, or
|
||
|
* (at your option) any later version.
|
||
|
*
|
||
|
* This program is distributed in the hope that it will be useful,
|
||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
* GNU General Public License for more details.
|
||
|
*
|
||
|
* You should have received a copy of the GNU General Public License
|
||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
*/
|
||
|
import at.jku.fim.rubanetra.protocol.activity.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||
|
import org.xbill.DNS.*;
|
||
|
import org.apache.http.HttpHeaders;
|
||
|
import org.jnetpcap.protocol.tcpip.Tcp;
|
||
|
import org.jnetpcap.packet.PcapPacket;
|
||
|
import org.apache.commons.codec.binary.Hex;
|
||
|
import java.net.InetSocketAddress;
|
||
|
import java.util.HashSet;
|
||
|
import java.util.Date
|
||
|
import java.util.SortedSet;
|
||
|
import java.util.TreeSet;
|
||
|
import org.xbill.DNS.Record;
|
||
|
import java.net.InetSocketAddress
|
||
|
import java.util.List;
|
||
|
import java.util.Set;
|
||
|
|
||
|
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||
|
dialect "mvel"
|
||
|
|
||
|
/**
|
||
|
* A logger that may be used for logging custom messages
|
||
|
*/
|
||
|
global org.slf4j.Logger log;
|
||
|
|
||
|
// this forward declaration is required to demonstrate the in-place definition of a custom event class,
|
||
|
// see HttpsActivity below
|
||
|
declare DroolsBaseActivity
|
||
|
end
|
||
|
|
||
|
/**
|
||
|
* This declaration demonstrates an in-place declaration of a custom event class.
|
||
|
* A HttpsActivity currently consists of a client/server socket address and TLS-Activity, however,
|
||
|
* it includes all relevant frame numbers for further analysis because it replaces the TLS-activity.
|
||
|
*/
|
||
|
declare HttpsActivity extends DroolsBaseActivity
|
||
|
@role( event )
|
||
|
@author( Stefan Swerk )
|
||
|
@timestamp( getStartTimestamp() )
|
||
|
|
||
|
client : InetSocketAddress
|
||
|
server : InetSocketAddress
|
||
|
tlsActivity : TlsActivity
|
||
|
end
|
||
|
|
||
|
rule "HTTPS" when
|
||
|
$tls : TlsActivity( clientHello.destinationPort == 443, !replaced)
|
||
|
not (exists HttpsActivity($tls == tlsActivity))
|
||
|
then
|
||
|
HttpsActivity httpsActivity = new HttpsActivity();
|
||
|
httpsActivity.setClient($tls.getClientHello().getSourceSocketAddress());
|
||
|
httpsActivity.setServer($tls.getClientHello().getDestinationSocketAddress());
|
||
|
httpsActivity.setTlsActivity($tls);
|
||
|
httpsActivity.replaceActivity($tls);
|
||
|
insert(httpsActivity);
|
||
|
end
|