93 lines
3.3 KiB
Plaintext
93 lines
3.3 KiB
Plaintext
|
/**
|
||
|
* This file is part of Rubanetra.
|
||
|
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||
|
*
|
||
|
* This program is free software: you can redistribute it and/or modify
|
||
|
* it under the terms of the GNU General Public License as published by
|
||
|
* the Free Software Foundation, either version 3 of the License, or
|
||
|
* (at your option) any later version.
|
||
|
*
|
||
|
* This program is distributed in the hope that it will be useful,
|
||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
* GNU General Public License for more details.
|
||
|
*
|
||
|
* You should have received a copy of the GNU General Public License
|
||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||
|
*/
|
||
|
import at.jku.fim.rubanetra.protocol.activity.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||
|
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||
|
import java.util.SortedSet;
|
||
|
import java.util.TreeSet;
|
||
|
import org.xbill.DNS.Record;
|
||
|
import java.net.InetSocketAddress;
|
||
|
import java.util.List;
|
||
|
import java.util.Set;
|
||
|
import java.util.HashSet;
|
||
|
|
||
|
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||
|
dialect "mvel"
|
||
|
|
||
|
/**
|
||
|
* A logger that may be used for logging custom messages
|
||
|
*/
|
||
|
global org.slf4j.Logger log;
|
||
|
|
||
|
// forward declaration
|
||
|
declare DroolsBaseActivity
|
||
|
end
|
||
|
|
||
|
/**
|
||
|
* This declaration defines an SpiderOak related Activity, consisting of DNS query/reply, client/server address/port
|
||
|
* and the associated TlsActivity
|
||
|
*/
|
||
|
declare SpiderOakActivity extends DroolsBaseActivity
|
||
|
@role( event )
|
||
|
@author( Stefan Swerk )
|
||
|
@timestamp( getStartTimestamp() )
|
||
|
|
||
|
dnsAnswer : DnsActivity
|
||
|
|
||
|
clientAddress : InetSocketAddress
|
||
|
serverAddress : InetSocketAddress
|
||
|
|
||
|
associatedTlsActivity : TlsActivity
|
||
|
end
|
||
|
|
||
|
/**
|
||
|
* This rule is quite similar to the Dropbox tls traffic matching rule.
|
||
|
* It looks for a DNS query to "*.spideroak.com" and gathers the relevant IP addresses for probing existing, yet unmatched
|
||
|
* TlsActivities.
|
||
|
*/
|
||
|
rule "Spideroak TLS traffic based on DnsActivity"
|
||
|
when
|
||
|
$dnsReply : DnsActivity(isResponse(), !answerRecords.isEmpty(),
|
||
|
$question : dnsMessage.question.name,
|
||
|
$question.toString() matches ".*\\.spideroak.com\\.$")
|
||
|
$tls : TlsActivity(this after[0s,10s] $dnsReply)
|
||
|
|
||
|
exists( ARecord($address : getAddress(),
|
||
|
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
|
||
|
from $dnsReply.getAnswerRecords()
|
||
|
or
|
||
|
AAAARecord( $address : getAddress(),
|
||
|
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
|
||
|
from $dnsReply.getAnswerRecords()
|
||
|
)
|
||
|
then
|
||
|
SpiderOakActivity spiderOakActivity = new SpiderOakActivity();
|
||
|
spiderOakActivity.setDnsAnswer($dnsReply);
|
||
|
spiderOakActivity.setClientAddress($tls.getClientHello().getSourceSocketAddress());
|
||
|
spiderOakActivity.setServerAddress($tls.getServerHello().getSourceSocketAddress());
|
||
|
spiderOakActivity.setAssociatedTlsActivity($tls);
|
||
|
|
||
|
spiderOakActivity.replaceActivity($dnsReply);
|
||
|
spiderOakActivity.replaceActivity($tls);
|
||
|
|
||
|
insert(spiderOakActivity);
|
||
|
end
|