rubanetra/rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/07.Application.Dropbox.drl

/**
 * This file is part of Rubanetra.
 * Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
import java.util.HashSet;

// using the MVEL expression language, see http://mvel.codehaus.org/
dialect  "mvel"

/**
 * A logger that may be used for logging custom messages
 */
global org.slf4j.Logger log;

// forward declaration
declare DroolsBaseActivity
end

/**
 * A DropboxTlsActivity contains a DNS query/reply, client/server address/port and the associated Tls-Activity
 */
declare DropboxTlsActivity extends DroolsBaseActivity
    @role( event )
    @author( Stefan Swerk )
    @timestamp( getStartTimestamp() )

    dnsQuestion : DnsActivity
    dnsAnswer : DnsActivity

    clientAddress : InetSocketAddress
    serverAddress : InetSocketAddress

    associatedTlsActivity : TlsActivity
end

/**
 * Due to the generally encrypted dropbox traffic a DnsActivity containing the rule looks for query to "*.dropbox.com"
 * first and gathers the relevant Ip-Addresses for which possible TlsActivitiy-objects will be probed against.
 */
rule "Dropbox TLS traffic based on previous DnsActivity"
when
    $dnsQuery : DnsActivity(!isResponse(), !questionRecords.isEmpty(),
                            $queryId : dnsMessageHeader.ID,$question : dnsMessage.question.name,
                            $question.toString() matches ".*\\.dropbox.com\\.$")
    $dnsReply : DnsActivity(isResponse(),!answerRecords.isEmpty(),
                            dnsMessageHeader.ID == $queryId,
                            this after[0s,10s] $dnsQuery)
    $tls : TlsActivity(this after[0s,10s] $dnsReply)

    exists  ( ARecord( $address : getAddress(),
                       $address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
              from $dnsReply.getAnswerRecords()
    	    or AAAARecord( $address : getAddress(),
    		               $address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
    		   from $dnsReply.getAnswerRecords()
            )
    not ( exists DropboxTlsActivity($tls == associatedTlsActivity))
then
    DropboxTlsActivity act = new DropboxTlsActivity();
    act.setClientAddress($tls.getClientHello().getSourceSocketAddress());
    act.setServerAddress($tls.getServerHello().getSourceSocketAddress());
    act.setDnsQuestion($dnsQuery);
    act.setDnsAnswer($dnsReply);
    act.setAssociatedTlsActivity($tls);
    act.replaceActivity($dnsQuery); act.replaceActivity($dnsReply); act.replaceActivity($tls);

    insert(act);
end
Import from old repository 2020-04-06 18:44:45 +02:00			`/**`
			`* This file is part of Rubanetra.`
			`* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)`
			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`
			`import at.jku.fim.rubanetra.protocol.activity.*;`
			`import at.jku.fim.rubanetra.protocol.activity.tls.*;`
			`import at.jku.fim.rubanetra.protocol.activity.http.*;`
			`import at.jku.fim.rubanetra.protocol.activity.ip.*;`
			`import at.jku.fim.rubanetra.protocol.activity.icmp.*;`
			`import at.jku.fim.rubanetra.protocol.activity.dns.*;`
			`import java.util.SortedSet;`
			`import java.util.TreeSet;`
			`import org.xbill.DNS.Record;`
			`import java.net.InetSocketAddress;`
			`import java.util.List;`
			`import java.util.Set;`
			`import java.util.HashSet;`

			`// using the MVEL expression language, see http://mvel.codehaus.org/`
			`dialect "mvel"`

			`/**`
			`* A logger that may be used for logging custom messages`
			`*/`
			`global org.slf4j.Logger log;`

			`// forward declaration`
			`declare DroolsBaseActivity`
			`end`

			`/**`
			`* A DropboxTlsActivity contains a DNS query/reply, client/server address/port and the associated Tls-Activity`
			`*/`
			`declare DropboxTlsActivity extends DroolsBaseActivity`
			`@role( event )`
			`@author( Stefan Swerk )`
			`@timestamp( getStartTimestamp() )`

			`dnsQuestion : DnsActivity`
			`dnsAnswer : DnsActivity`

			`clientAddress : InetSocketAddress`
			`serverAddress : InetSocketAddress`

			`associatedTlsActivity : TlsActivity`
			`end`

			`/**`
			`* Due to the generally encrypted dropbox traffic a DnsActivity containing the rule looks for query to "*.dropbox.com"`
			`* first and gathers the relevant Ip-Addresses for which possible TlsActivitiy-objects will be probed against.`
			`*/`
			`rule "Dropbox TLS traffic based on previous DnsActivity"`
			`when`
			`$dnsQuery : DnsActivity(!isResponse(), !questionRecords.isEmpty(),`
			`$queryId : dnsMessageHeader.ID,$question : dnsMessage.question.name,`
			`$question.toString() matches ".*\\.dropbox.com\\.$")`
			`$dnsReply : DnsActivity(isResponse(),!answerRecords.isEmpty(),`
			`dnsMessageHeader.ID == $queryId,`
			`this after[0s,10s] $dnsQuery)`
			`$tls : TlsActivity(this after[0s,10s] $dnsReply)`

			`exists ( ARecord( $address : getAddress(),`
			`$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())`
			`from $dnsReply.getAnswerRecords()`
			`or AAAARecord( $address : getAddress(),`
			`$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())`
			`from $dnsReply.getAnswerRecords()`
			`)`
			`not ( exists DropboxTlsActivity($tls == associatedTlsActivity))`
			`then`
			`DropboxTlsActivity act = new DropboxTlsActivity();`
			`act.setClientAddress($tls.getClientHello().getSourceSocketAddress());`
			`act.setServerAddress($tls.getServerHello().getSourceSocketAddress());`
			`act.setDnsQuestion($dnsQuery);`
			`act.setDnsAnswer($dnsReply);`
			`act.setAssociatedTlsActivity($tls);`
			`act.replaceActivity($dnsQuery); act.replaceActivity($dnsReply); act.replaceActivity($tls);`

			`insert(act);`
			`end`