rubanetra/rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/06.Application.OpenSSH.drl

113 lines
4.3 KiB
Plaintext
Raw Normal View History

2020-04-06 16:44:45 +00:00
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* forward declaration, used for declaring the OpenSSHActivity
*/
declare DroolsBaseActivity
end
/**
* Represents OpenSSH traffic between a client and a server.
*/
declare OpenSSHActivity extends DroolsBaseActivity
@role( event )
@timestamp( getStartTimestamp() )
handshakeQuery : TcpActivity
handshakeReply : TcpActivity
clientToServerTraffic : HashSet
serverToClientTraffic : HashSet
end
/**
* Tries to identfiy an OpenSSH handshake by relying on the presence of the 'SSH-' substring of the
* payload to identify the handshake.
*/
rule "OpenSSH Handshake"
when
$handshakeQuery : TcpActivity( payloadString!.startsWith("SSH-"),
payloadString!.contains("OpenSSH"))
$handshakeReply : TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
payloadString!.startsWith("SSH-"),
payloadString!.contains("OpenSSH"),
sourcePort==$handshakeQuery.destinationPort,
destinationPort==$handshakeQuery.sourcePort,
this after[0s,10s] $handshakeQuery)
// there should not exist another reply before the matched reply
not(exists TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
payloadString!.startsWith("SSH-"),
sourcePort==$handshakeQuery.destinationPort, destinationPort==$handshakeQuery.sourcePort,
this before $handshakeReply, this after $handshakeQuery))
then
OpenSSHActivity sshAct = new OpenSSHActivity();
sshAct.setHandshakeQuery($handshakeQuery);
sshAct.setHandshakeReply($handshakeReply);
sshAct.setClientToServerTraffic(new HashSet());
sshAct.setServerToClientTraffic(new HashSet());
sshAct.replaceActivity($handshakeQuery);
sshAct.replaceActivity($handshakeReply);
insert(sshAct);
end
/**
* Collects client to server traffic (TCP activities)
*/
rule "OpenSSH traffic (client -> server)"
when
$sshAct : OpenSSHActivity()
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
sourceSocketAddress==$sshAct.handshakeQuery.sourceSocketAddress,
destinationSocketAddress==$sshAct.handshakeQuery.destinationSocketAddress)
then
$sshAct.getClientToServerTraffic().addAll($tcp.getCompoundFrameNumbers());
$sshAct.replaceActivity($tcp);
end
/**
* Collects server to client traffic (TCP activities)
*/
rule "OpenSSH traffic (server -> client)"
when
$sshAct : OpenSSHActivity()
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
sourceSocketAddress==$sshAct.handshakeReply.sourceSocketAddress,
destinationSocketAddress==$sshAct.handshakeReply.destinationSocketAddress)
then
$sshAct.getServerToClientTraffic().addAll($tcp.getCompoundFrameNumbers());
$sshAct.replaceActivity($tcp);
end