rubanetra/rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/04.Derived.Https.drl

78 lines
2.8 KiB
Plaintext
Raw Normal View History

2020-04-06 16:44:45 +00:00
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import org.xbill.DNS.*;
import org.apache.http.HttpHeaders;
import org.jnetpcap.protocol.tcpip.Tcp;
import org.jnetpcap.packet.PcapPacket;
import org.apache.commons.codec.binary.Hex;
import java.net.InetSocketAddress;
import java.util.HashSet;
import java.util.Date
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress
import java.util.List;
import java.util.Set;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// this forward declaration is required to demonstrate the in-place definition of a custom event class,
// see HttpsActivity below
declare DroolsBaseActivity
end
/**
* This declaration demonstrates an in-place declaration of a custom event class.
* A HttpsActivity currently consists of a client/server socket address and TLS-Activity, however,
* it includes all relevant frame numbers for further analysis because it replaces the TLS-activity.
*/
declare HttpsActivity extends DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
client : InetSocketAddress
server : InetSocketAddress
tlsActivity : TlsActivity
end
rule "HTTPS" when
$tls : TlsActivity( clientHello.destinationPort == 443, !replaced)
not (exists HttpsActivity($tls == tlsActivity))
then
HttpsActivity httpsActivity = new HttpsActivity();
httpsActivity.setClient($tls.getClientHello().getSourceSocketAddress());
httpsActivity.setServer($tls.getClientHello().getDestinationSocketAddress());
httpsActivity.setTlsActivity($tls);
httpsActivity.replaceActivity($tls);
insert(httpsActivity);
end