stefan/rubanetra
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Import from old repository

Browse Source
This commit is contained in:
Stefan
2020-04-06 18:44:45 +02:00
commit 5382fa57a4
204 changed files with 19878 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/00.Basic.Metadata.drl
+85
View File
@@ -0,0 +1,85 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.arp.*;
import at.jku.fim.rubanetra.protocol.activity.dhcp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import at.jku.fim.rubanetra.protocol.activity.ethernet.*;
import at.jku.fim.rubanetra.protocol.activity.ftp.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.msn.*;
import at.jku.fim.rubanetra.protocol.activity.netbios.*;
import at.jku.fim.rubanetra.protocol.activity.pop3.*;
import at.jku.fim.rubanetra.protocol.activity.skype.*;
import at.jku.fim.rubanetra.protocol.activity.smtp.*;
import at.jku.fim.rubanetra.protocol.activity.snmp.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import at.jku.fim.rubanetra.protocol.activity.telnet.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.udp.*;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* The following statements declare the metadata of already existing Java abstract classes/interfaces of the
* at.jku.fim.rubanetra.protocol.activity package.
* Specifically it defines these classes as events using the start-timestamp of the activity itself
* as the actual timestamp (used for reasoning) and sets the expiration time of the individual objects.
* If the objects should not expire based on this timer, remove or adapt the @expires attributes.
* Note, however, unless these attributes are overwritten on the Activity-class implementation level, these settings
* will be inherited for all activities (since all Activity-implementations should extend or implement one of the
* abstract classes/interfaces listed below.
*/
declare DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare Activity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare ReplaceableActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare AbstractActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare AbstractReplaceableActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/01.Basic.Output.drl
+44
View File
@@ -0,0 +1,44 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* This global variable constitutes the default output writer that is used to write derived facts, i.e. Activity objects,
* to the final output stream.
*/
global at.jku.fim.rubanetra.output.OutputWriterStrategy outputWriter;
/**
* This rule will ensure that all encountered OutputActivityEvents will be written to the final output stream,
* as long as the enclosed Activity 'toOutput' is not null and the global 'outputWriter' exists.
* The encountered, valid OutputActivityEvent will be retracted afterwards.
* This behaviour is useful to free memory in case the default event expiration time is not defined or
* set to a high value.
*/
rule "Write to OutputStream (event-based)"
when
$outEvent : OutputActivityEvent(toOutput != null)
then
if (outputWriter != null) {
outputWriter.writeActivity($outEvent.getToOutput());
}
retract($outEvent);
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/02.Basic.Http.drl
+201
View File
@@ -0,0 +1,201 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import org.xbill.DNS.*;
import org.apache.http.HttpHeaders;
import org.jnetpcap.protocol.tcpip.Tcp;
import org.jnetpcap.packet.PcapPacket;
import org.apache.commons.codec.binary.Hex;
import java.net.InetSocketAddress;
import java.util.HashSet;
import java.util.Date
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* This declaration serves as an example to demonstrate the basic attribute overriding process.
* Usually this class extends the Activity-interface and is declared to be an event.
* However, currently no time-based reasoning will be performed for these objects, therefore it can be
* converted to a Fact.
* This declaration may be removed to use the default attributes again (see 00.Basic.Metadata.drl).
*/
declare HttpImageActivity
@role( fact )
@author( Stefan Swerk )
@dateOfCreation( 10.01.2014 )
end
/**
* The following Tcp declaration represents the jNetPcap-Tcp class, see org.jnetpcap.protocol.tcpip.Tcp.
* Due to 'Tcp' being a Java class of a different library it cannot extend or implement one of the Activity
* base classes and therefore is not treated as a Drools-event per se. Therefore, the metadata of this custom
* class must be defined individually, which can be interpreted as a forward declaration.
*/
declare Tcp
@role( event )
@author( Stefan Swerk )
@timestamp( getPacket().getCaptureHeader().timestampInMillis() )
@expires( 30m )
end
/**
* Currently it appears as if the Tcp-decoder of the Kraken library does not parse all valid Tcp-packets successfully.
* As a kind of workaround this rule has been defined to fallback to the jNetPcap library (hence the previous Tcp-forward
* declaration) for all IPv4 activities that indicate TCP as the encapsulated protocol,
* but that have not been decoded by the Kraken-Tcp-Decoder until now.
* This rule will ensure that an appropriate drop-in TcpActivity will be created and inserted in the event-stream,
* which may be used by other rules.
*/
rule "TCP (work around Kraken limitation)"
when
$ip : Ipv4Activity(ipv4.nextHeaderId == Tcp.ID)
not (exists TcpActivity(pcapActivity == $ip.pcapActivity))
then
Tcp tcp = new Tcp();
PcapPacket p = $ip.getPcapActivity().getPcapPacket();
p.hasHeader(tcp);
log.debug("A workaround Tcp-Activity will be created for frames {}", $ip.getCompoundFrameNumbers());
TcpActivity tcpActivity = new TcpActivity($ip.getPcapActivity(),tcp,$ip);
tcpActivity.replaceActivity($ip);
insert(tcpActivity);
end
/**
* This rules makes use of a custom entry-point called "fact-stream" and the previously declared fact-attribute of
* HttpImageActivity. If a HttpActivity is encountered containing an response that defined an "image/..." content_type
* header, it may be assumed that this reponse was used for delivering image data and the corresponding URL of the request
* contained the image path.
*/
rule "Http Image Activity"
no-loop
when
$httpActivity : HttpActivity($contentType : response.responseHeaderMap[HttpHeaders.CONTENT_TYPE] matches "image/.*",
imageActivities.isEmpty())
then
log.debug("An HttpImageActivity based on the content type was found for frames {}", $httpActivity.getCompoundFrameNumbers());
HttpImageActivity imgAct = new HttpImageActivity($httpActivity);
imgAct.setImagePath($httpActivity.getRequest().getUrl().getFile());
imgAct.setImageType($contentType);
imgAct.setStartInstant($httpActivity.getStartInstant());
imgAct.setEndInstant($httpActivity.getEndInstant());
drools.getEntryPoint("fact-stream").insert(imgAct);
modify($httpActivity){
addImageActivity(imgAct)
}
end
/**
* This rule fires iff there is a HttpImageActivity whose Requests REFERER Header field matches the Request-URI of
* another HttpActivity, i.e. it collects ImageActivities which may be related to a single HttpActivity.
* Consider the following example: A user queries a HTML-Resource that contains external image resources,
* and usually the browser creates subsequent HTTP requests for the image data retrieval.
* Whenever the Browser sets the Referer header field for those separate requests, we could correlate those separate
* image requests with a single HTML resource request.
*/
rule "Collect Http Image Activities (based on referer header)"
when
$http : HttpActivity($req : request, $reqResource : request.url.toString())
$imgAct : HttpImageActivity(this not memberOf $http.imageActivities,
source#HttpActivity.request.requestHeaderMap[HttpHeaders.REFERER] matches $reqResource)
from entry-point "fact-stream"
// add an additional time based constraint
// $htmlRequest : HttpRequestActivity( pcapActivity == $req.pcapActivity)
// $imgRequest : HttpRequestActivity( pcapActivity == $imgAct.source#HttpActivity.request.pcapActivity,
// this after[0s,10s] $htmlRequest)
//
// match a single image request for an image resource to a single request for an html resource only
// not (exists HttpRequestActivity(pcapActivity != $htmlRequest.pcapActivity,
// url.toString() matches $reqResource,
// this before $imgRequest))
then
modify($http) {
addImageActivity($imgAct)
}
end
/**
* Currently the event stream will only contain not yet matched HttpRequests and HttpResponses.
* Since the reasoning process will be enhanced by correlated each request to a response this rule tries to achieve
* a simple matching mechanism based on the TCP/IP source and destination port and address.
*/
rule "Http Request and Response Matching (based on TCP/IP source/destination and time)"
when
$tcpReq : TcpActivity( $reqId := pcapActivity, $src : sourceAddress, $dst : destinationAddress)
$request : HttpRequestActivity( $reqId := pcapActivity)
$tcpResp : TcpActivity( $respId : pcapActivity, $tcpReq.sourcePort == destinationPort,
$src == destinationAddress, $dst == sourceAddress)
$response : HttpResponseActivity(pcapActivity == $respId, this after[0s,1m] $request)
not (exists HttpActivity(request == $request || response == $response))
then
HttpActivity activity = new HttpActivity($request, $response);
log.debug("A HttpRequest was matched with a HttpResponse (frames {})", activity.getCompoundFrameNumbers());
insert(activity);
end
/**
* This rule tries to match a DNS response to a an already existing HttpActivity using the hostname header field and
* a maximum interval between the DNS response and the Http response of [0s;20s].
* An already existing DNS match of a HttpActivity will not be overwritten.
*/
rule "HttpActivity as a potential result of a preceding DNS activity"
when
$http : HttpActivity($hostHeader : request.requestHeaderMap[HttpHeaders.HOST], dnsMatch==null)
$dnsResponse : DnsActivity(isResponse(), this before[0s,20s] $http)
/**
* The first two checks are IP based, i.e: was the ip address from the DNS A/AAAA record called and does it match the HTTP server IP?
* The last check is domain based, i.e. the "Host:"-Header field from the HttpRequest is compared against the DNS name reply.
*/
exists( ARecord( $address : getAddress(), $address!.getHostAddress() == $http.request.serverAddress.getAddress().getHostAddress())
from $dnsResponse.getAnswerRecords()
or AAAARecord( $address : getAddress(), $address!.getHostAddress() == $http.request.serverAddress.getAddress().getHostAddress())
from $dnsResponse.getAnswerRecords()
or Record( $address : name, $address!.toString().startsWith($hostHeader))
from $dnsResponse.getAnswerRecords()
)
then
// At this point there was a preceding DNS response and a matching subsequent HTTP Request and Response
modify($http) {
setDnsMatch($dnsResponse);
};
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/03.Basic.Tls.drl
+93
View File
@@ -0,0 +1,93 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress
import java.util.List;
import java.util.Set
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* This experimental rule looks for sequences of three related TCP-activities, i.e.:
* First, it tries to find a "ClientHello" Packet (according to the TLS handshake) followed by a "ServerHello".
* Finally an additional "ChangeCipher" message is expected before classifying this sequence as a TLS/SSL stream, see
* RFC 5246 (https://tools.ietf.org/html/rfc5246).
* The remaining packets will be assembled by the "TLS traffic"-rules (see below)
*/
rule "TLS Handshake"
when
$clientHello : TcpActivity( $payload : payloadHexFormattedDump(), $payload!=null,
TlsActivityHelper.isClientHello(tcp))
$serverHello : TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
destinationSocketAddress==$clientHello.sourceSocketAddress,
TlsActivityHelper.isServerHello(tcp),
this after[0s,10s] $clientHello)
$changeCipher : TcpActivity(sourceSocketAddress==$clientHello.destinationSocketAddress,
destinationSocketAddress==$clientHello.sourceSocketAddress,
TlsActivityHelper.isChangeCipherSpec(tcp),
this after[0s,10s] $serverHello)
exists TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
destinationSocketAddress==$clientHello.sourceSocketAddress,
TlsActivityHelper.isChangeCipherSpec(tcp),
this after[0s,10s] $changeCipher)
not (exists TlsActivity(clientHello==$clientHello || serverHello==$serverHello || changeCipherSpec==$changeCipher))
then
TlsActivity tls = new TlsActivity($clientHello,$serverHello);
tls.setChangeCipherSpec($changeCipher);
insert(tls);
end
/**
* Collects TCP activities for a given TlsActivity (client to server only) based on source/destionation ip/port
*/
rule "TLS traffic (client -> server)"
when
$tls : TlsActivity($clientHello : clientHello)
$tcp : TcpActivity( sourceSocketAddress==$clientHello.sourceSocketAddress,
destinationSocketAddress==$clientHello.destinationSocketAddress)
then
$tls.addClientToServerTcpActivity($tcp);
end
/**
* Collects TCP activities for a given TlsActivity (server to client only) based on source/destionation ip/port
*/
rule "TLS traffic (server -> client)"
when
$tls : TlsActivity($serverHello : serverHello)
$tcp : TcpActivity( sourceSocketAddress==$serverHello.sourceSocketAddress,
destinationSocketAddress==$serverHello.destinationSocketAddress)
then
$tls.addServerToClientTcpActivity($tcp);
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/04.Derived.Https.drl
+77
View File
@@ -0,0 +1,77 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import org.xbill.DNS.*;
import org.apache.http.HttpHeaders;
import org.jnetpcap.protocol.tcpip.Tcp;
import org.jnetpcap.packet.PcapPacket;
import org.apache.commons.codec.binary.Hex;
import java.net.InetSocketAddress;
import java.util.HashSet;
import java.util.Date
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress
import java.util.List;
import java.util.Set;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// this forward declaration is required to demonstrate the in-place definition of a custom event class,
// see HttpsActivity below
declare DroolsBaseActivity
end
/**
* This declaration demonstrates an in-place declaration of a custom event class.
* A HttpsActivity currently consists of a client/server socket address and TLS-Activity, however,
* it includes all relevant frame numbers for further analysis because it replaces the TLS-activity.
*/
declare HttpsActivity extends DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
client : InetSocketAddress
server : InetSocketAddress
tlsActivity : TlsActivity
end
rule "HTTPS" when
$tls : TlsActivity( clientHello.destinationPort == 443, !replaced)
not (exists HttpsActivity($tls == tlsActivity))
then
HttpsActivity httpsActivity = new HttpsActivity();
httpsActivity.setClient($tls.getClientHello().getSourceSocketAddress());
httpsActivity.setServer($tls.getClientHello().getDestinationSocketAddress());
httpsActivity.setTlsActivity($tls);
httpsActivity.replaceActivity($tls);
insert(httpsActivity);
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/05.Basic.Icmp.drl
+46
View File
@@ -0,0 +1,46 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import org.xbill.DNS.*;
import org.jnetpcap.protocol.network.Icmp.IcmpCode;
import org.jnetpcap.protocol.network.Icmp.IcmpType;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* Groups ICMP echo requests and echo replies to a PingActivity
*/
rule "Ping (Icmpv4)"
when
$req : Icmpv4Activity( $id : identifier, $seq : sequence, icmpType == IcmpType.ECHO_REQUEST)
$rep : Icmpv4Activity( identifier == $id, sequence == $seq, icmpType == IcmpType.ECHO_REPLY)
not (exists PingActivity(request == $req || reply == $rep))
then
insert(new PingActivity($req, $rep));
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/06.Application.OpenSSH.drl
+112
View File
@@ -0,0 +1,112 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* forward declaration, used for declaring the OpenSSHActivity
*/
declare DroolsBaseActivity
end
/**
* Represents OpenSSH traffic between a client and a server.
*/
declare OpenSSHActivity extends DroolsBaseActivity
@role( event )
@timestamp( getStartTimestamp() )
handshakeQuery : TcpActivity
handshakeReply : TcpActivity
clientToServerTraffic : HashSet
serverToClientTraffic : HashSet
end
/**
* Tries to identfiy an OpenSSH handshake by relying on the presence of the 'SSH-' substring of the
* payload to identify the handshake.
*/
rule "OpenSSH Handshake"
when
$handshakeQuery : TcpActivity( payloadString!.startsWith("SSH-"),
payloadString!.contains("OpenSSH"))
$handshakeReply : TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
payloadString!.startsWith("SSH-"),
payloadString!.contains("OpenSSH"),
sourcePort==$handshakeQuery.destinationPort,
destinationPort==$handshakeQuery.sourcePort,
this after[0s,10s] $handshakeQuery)
// there should not exist another reply before the matched reply
not(exists TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
payloadString!.startsWith("SSH-"),
sourcePort==$handshakeQuery.destinationPort, destinationPort==$handshakeQuery.sourcePort,
this before $handshakeReply, this after $handshakeQuery))
then
OpenSSHActivity sshAct = new OpenSSHActivity();
sshAct.setHandshakeQuery($handshakeQuery);
sshAct.setHandshakeReply($handshakeReply);
sshAct.setClientToServerTraffic(new HashSet());
sshAct.setServerToClientTraffic(new HashSet());
sshAct.replaceActivity($handshakeQuery);
sshAct.replaceActivity($handshakeReply);
insert(sshAct);
end
/**
* Collects client to server traffic (TCP activities)
*/
rule "OpenSSH traffic (client -> server)"
when
$sshAct : OpenSSHActivity()
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
sourceSocketAddress==$sshAct.handshakeQuery.sourceSocketAddress,
destinationSocketAddress==$sshAct.handshakeQuery.destinationSocketAddress)
then
$sshAct.getClientToServerTraffic().addAll($tcp.getCompoundFrameNumbers());
$sshAct.replaceActivity($tcp);
end
/**
* Collects server to client traffic (TCP activities)
*/
rule "OpenSSH traffic (server -> client)"
when
$sshAct : OpenSSHActivity()
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
sourceSocketAddress==$sshAct.handshakeReply.sourceSocketAddress,
destinationSocketAddress==$sshAct.handshakeReply.destinationSocketAddress)
then
$sshAct.getServerToClientTraffic().addAll($tcp.getCompoundFrameNumbers());
$sshAct.replaceActivity($tcp);
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/07.Application.Dropbox.drl
+93
View File
@@ -0,0 +1,93 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// forward declaration
declare DroolsBaseActivity
end
/**
* A DropboxTlsActivity contains a DNS query/reply, client/server address/port and the associated Tls-Activity
*/
declare DropboxTlsActivity extends DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
dnsQuestion : DnsActivity
dnsAnswer : DnsActivity
clientAddress : InetSocketAddress
serverAddress : InetSocketAddress
associatedTlsActivity : TlsActivity
end
/**
* Due to the generally encrypted dropbox traffic a DnsActivity containing the rule looks for query to "*.dropbox.com"
* first and gathers the relevant Ip-Addresses for which possible TlsActivitiy-objects will be probed against.
*/
rule "Dropbox TLS traffic based on previous DnsActivity"
when
$dnsQuery : DnsActivity(!isResponse(), !questionRecords.isEmpty(),
$queryId : dnsMessageHeader.ID,$question : dnsMessage.question.name,
$question.toString() matches ".*\\.dropbox.com\\.$")
$dnsReply : DnsActivity(isResponse(),!answerRecords.isEmpty(),
dnsMessageHeader.ID == $queryId,
this after[0s,10s] $dnsQuery)
$tls : TlsActivity(this after[0s,10s] $dnsReply)
exists ( ARecord( $address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
or AAAARecord( $address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
)
not ( exists DropboxTlsActivity($tls == associatedTlsActivity))
then
DropboxTlsActivity act = new DropboxTlsActivity();
act.setClientAddress($tls.getClientHello().getSourceSocketAddress());
act.setServerAddress($tls.getServerHello().getSourceSocketAddress());
act.setDnsQuestion($dnsQuery);
act.setDnsAnswer($dnsReply);
act.setAssociatedTlsActivity($tls);
act.replaceActivity($dnsQuery); act.replaceActivity($dnsReply); act.replaceActivity($tls);
insert(act);
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/08.Application.SpiderOak.drl
+92
View File
@@ -0,0 +1,92 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// forward declaration
declare DroolsBaseActivity
end
/**
* This declaration defines an SpiderOak related Activity, consisting of DNS query/reply, client/server address/port
* and the associated TlsActivity
*/
declare SpiderOakActivity extends DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
dnsAnswer : DnsActivity
clientAddress : InetSocketAddress
serverAddress : InetSocketAddress
associatedTlsActivity : TlsActivity
end
/**
* This rule is quite similar to the Dropbox tls traffic matching rule.
* It looks for a DNS query to "*.spideroak.com" and gathers the relevant IP addresses for probing existing, yet unmatched
* TlsActivities.
*/
rule "Spideroak TLS traffic based on DnsActivity"
when
$dnsReply : DnsActivity(isResponse(), !answerRecords.isEmpty(),
$question : dnsMessage.question.name,
$question.toString() matches ".*\\.spideroak.com\\.$")
$tls : TlsActivity(this after[0s,10s] $dnsReply)
exists( ARecord($address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
or
AAAARecord( $address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
)
then
SpiderOakActivity spiderOakActivity = new SpiderOakActivity();
spiderOakActivity.setDnsAnswer($dnsReply);
spiderOakActivity.setClientAddress($tls.getClientHello().getSourceSocketAddress());
spiderOakActivity.setServerAddress($tls.getServerHello().getSourceSocketAddress());
spiderOakActivity.setAssociatedTlsActivity($tls);
spiderOakActivity.replaceActivity($dnsReply);
spiderOakActivity.replaceActivity($tls);
insert(spiderOakActivity);
end
rubanetra-0.0.6-distribution/conf/DefaultKnowledgeBase/at.jku.fim.rubanetra.drools.rules/09.Application.Skype.drl
+114
View File
@@ -0,0 +1,114 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import at.jku.fim.rubanetra.protocol.activity.udp.*;
import at.jku.fim.rubanetra.protocol.activity.skype.*;
import at.jku.fim.rubanetra.protocol.activity.DroolsBaseActivity;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress
import java.util.List;
import java.util.Set
import java.util.HashSet
import org.jnetpcap.protocol.tcpip.Udp;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// forward declaration
declare DroolsBaseActivity end
/**
* Represents a Skype payload of arbitrary type, consisting of an source/destination object id and hosts.
*/
declare SkypePayloadActivity extends DroolsBaseActivity
@role( event )
@timestamp( getStartTimestamp() )
sourceObjectId : int
destinationObjectId : int
sourceHost : InetSocketAddress
destinationHost : InetSocketAddress
end
/**
* This rule is based on a crude heuristic which is again partially based on: https://github.com/matthiasbock/OpenSkype.
* Skype traffic usually consists of Udp-packets containing a certain kind of object id, therefore those special packets
* have to be matched first.
* This rule should be disabled/removed/improved if it causes false-positives (to reduce the negative impact, this
* rule does not replace any Activities, but extends them instead).
* Possible enhancements include:
* - Use Dns-matches to obtain the skype hosts, if possible (see Dropbox/Spideroak examples)
* - Extend the SkypePayloadActivity according to the known metadata (see https://github.com/matthiasbock/OpenSkype)
*/
rule "Skype Payload (one way, two matches)"
no-loop
when
$udp : UdpActivity( $objectId : SkypeActivityHelper.objectId(udp), SkypeActivityHelper.hasSkypePayload(udp))
$udpResp : UdpActivity( $objectIdResp : SkypeActivityHelper.objectId(udp),
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udp.destinationSocketAddress,
destinationSocketAddress==$udp.sourceSocketAddress,
this after[0s,10s] $udp)
exists( UdpActivity($oid : SkypeActivityHelper.objectId(udp),
($objectId + 10) > $oid,
$oid > $objectId,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udp.sourceSocketAddress,
destinationSocketAddress==$udp.destinationSocketAddress,
this after[0s,10s] $udp) )
exists( UdpActivity($oid : SkypeActivityHelper.objectId(udp),
($objectIdResp + 10) > $oid,
$oid > $objectIdResp,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udpResp.sourceSocketAddress,
destinationSocketAddress==$udpResp.destinationSocketAddress,
this after[0s,10s] $udpResp) )
not ( exists UdpActivity( SkypeActivityHelper.objectId(udp)<$objectId,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udp.sourceSocketAddress,
destinationSocketAddress==$udp.destinationSocketAddress,
this after[10s] $udp))
not ( exists UdpActivity( SkypeActivityHelper.objectId(udp)<$objectIdResp,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udpResp.sourceSocketAddress,
destinationSocketAddress==$udpResp.destinationSocketAddress,
this after[10s] $udpResp))
not ( exists SkypePayloadActivity(sourceObjectId==$objectId || sourceObjectId==$objectIdResp
|| destinationObjectId==$objectId || destinationObjectId==$objectIdResp))
then
SkypePayloadActivity act = new SkypePayloadActivity();
act.setSourceObjectId($objectId); act.setDestinationObjectId($objectIdResp);
act.setSourceHost($udp.getSourceSocketAddress()); act.setDestinationHost($udp.getDestinationSocketAddress());
act.extendActivity($udp); act.extendActivity($udpResp);
insert(act);
end
rubanetra-0.0.6-distribution/conf/META-INF/kmodule.xml
+33
View File
@@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of Rubanetra.
Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
-->
<kmodule xmlns="http://jboss.org/kie/6.0.0/kmodule">
<!-- the knowledge base name should correspond to the name of the top level directory containing the rules-->
<kbase name="DefaultKnowledgeBase"
default="true"
eventProcessingMode="stream"
equalsBehavior="equality"
packages="at.jku.fim.rubanetra.drools.rules">
<ksession name="DefaultSession"
default="true"
type="stateful"
clockType="pseudo"/>
</kbase>
</kmodule>
rubanetra-0.0.6-distribution/conf/META-INF/maven/at.jku.fim/rubanetra/pom.properties
+5
View File
@@ -0,0 +1,5 @@
#Generated by Maven
#Tue Jul 07 12:26:27 CEST 2015
version=0.0.6
groupId=at.jku.fim
artifactId=rubanetra
rubanetra-0.0.6-distribution/conf/META-INF/maven/at.jku.fim/rubanetra/pom.xml
+748
View File
@@ -0,0 +1,748 @@
<!--
This file is part of Rubanetra.
Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
-->
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://maven.apache.org/POM/4.0.0"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>at.jku.fim</groupId>
<artifactId>rubanetra</artifactId>
<version>0.0.6</version>
<name>Rubanetra</name>
<inceptionYear>2013</inceptionYear>
<licenses>
<license>
<name>GNU General Public License, Version 3</name>
<url>https://gnu.org/licenses/gpl-3.0.txt</url>
<distribution>repo</distribution>
</license>
</licenses>
<organization>
<name>Institute of networks and security</name>
<url>https://ins.jku.at</url>
</organization>
<developers>
<developer>
<id>stefan</id>
<name>Stefan Swerk</name>
<email>stefan_rubanetra@swerk.priv.at</email>
<roles>
<role>developer</role>
</roles>
<timezone>+1</timezone>
</developer>
</developers>
<scm>
<connection>scm:git:http://gitlab.swerk.priv.at/stefan/rubanetra.git</connection>
<url>http://gitlab.swerk.priv.at/stefan/rubanetra</url>
</scm>
<issueManagement>
<system>Gitlab</system>
<url>http://gitlab.swerk.priv.at/stefan/rubanetra/issues</url>
</issueManagement>
<properties>
<!-- the default settings to use in the final configuration files -->
<droolsKnowledgeBase>DefaultKnowledgeBase</droolsKnowledgeBase>
<droolsSessionName>DefaultSession</droolsSessionName>
<fnaInputFormat>pcap</fnaInputFormat>
<fnaOutputFile>stdout</fnaOutputFile>
<fnaOutputFormat>plaso</fnaOutputFormat>
<logLevel>info</logLevel>
<logDirectory>./logs</logDirectory>
<library.directory>./lib</library.directory>
<config.directory>./conf</config.directory>
<native.lib.classpath>/usr/lib</native.lib.classpath>
<!-- general settings -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<antlr4.visitor>false</antlr4.visitor>
<antlr4.listener>true</antlr4.listener>
<archive.output.directory>/home/stefan/IdeaProjects/rubanetra/target/archive</archive.output.directory>
<recentYears>2014</recentYears>
<!-- main library versions to use -->
<jnetpcap.version>1.4.r1425-1d</jnetpcap.version>
<jnetpcap.native.lib.dirname>libjnetpcap</jnetpcap.native.lib.dirname>
<krakenpcap.version>1.7.1</krakenpcap.version>
<antlr.version>4.5</antlr.version>
<drools.version>6.1.0.Final</drools.version>
<apachehttpclient.version>4.3.3</apachehttpclient.version>
<dnsjava.version>2.1.7</dnsjava.version>
<junit.version>4.11</junit.version>
<jackson.version>2.5.3</jackson.version>
<slf4j.version>1.7.6</slf4j.version>
</properties>
<repositories>
<!--This repository contains the required Kraken Pcap modules, it may be disabled as soon as the
actual krakenapps.org repository (see below) is up again.-->
<repository>
<id>OpenSOC-Kraken-Repo</id>
<name>OpenSOC Kraken Repository</name>
<url>https://raw.github.com/opensoc/kraken/mvn-repo</url>
</repository>
<!--The following repository is currently down (03.2015), it should be enabled if possible.-->
<!--<repository>-->
<!--<id>krakenapps.org</id>-->
<!--<name>Kraken Repository</name>-->
<!--<url>http://download.krakenapps.org/</url>-->
<!--</repository>-->
<!--The following repository serves as workaround for the missing kraken-pcap-pom dependency problem,
See also https://github.com/nchovy/kraken/issues/4 .
In case the repository location as specified below does not exist, delete the following repository entry,
acquire the kraken-pcap-pom file and execute
$ mvn install:install-file -DlocalRepositoryPath=kraken-workaround-repository \
-DcreateChecksum=true -Dpackaging=pom -Dfile=<PATH-TO_KRAKEN-PCAP-POM.pom> \
-DgroupId=org.krakenapps -DartifactId=kraken-pcap-pom -Dversion=1.0.0
As soon as the underlying issue is resolved upstream, this repository entry may be deleted.-->
<repository>
<id>krakenapps.org - workaround</id>
<releases>
<enabled>true</enabled>
<checksumPolicy>ignore</checksumPolicy>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
<url>file:///home/stefan/IdeaProjects/rubanetra/src/main/resources/kraken-workaround-repository</url>
</repository>
<repository>
<id>jboss-public-repository-group</id>
<name>JBoss Public Maven Repository Group</name>
<url>http://repository.jboss.org/nexus/content/groups/public/</url>
<layout>default</layout>
<releases>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
</releases>
<snapshots>
<enabled>true</enabled>
<updatePolicy>always</updatePolicy>
</snapshots>
</repository>
<repository>
<id>central</id>
<name>Central Maven Repository</name>
<layout>default</layout>
<url>http://repo1.maven.org/maven2</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
<repository>
<id>clojars.org</id>
<name>Clojars Community Maven Repository</name>
<url>http://clojars.org/repo</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>jboss-public-repository-group</id>
<name>JBoss Public Maven Repository Group</name>
<url>http://repository.jboss.org/nexus/content/groups/public/</url>
<layout>default</layout>
</pluginRepository>
<pluginRepository>
<id>central</id>
<name>Central Maven Repository</name>
<layout>default</layout>
<url>http://repo1.maven.org/maven2</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</pluginRepository>
</pluginRepositories>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.6</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.6</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.3</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.5.3</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
<version>2.5.3</version>
</dependency>
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.3.0</version>
</dependency>
<dependency>
<groupId>javax.mail</groupId>
<artifactId>mail</artifactId>
<version>1.4.7</version>
<exclusions>
<exclusion>
<artifactId>activation</artifactId>
<groupId>javax.activation</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-pcap</artifactId>
<version>1.7.1</version>
<exclusions>
<exclusion>
<artifactId>slf4j-simple</artifactId>
<groupId>org.slf4j</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-http-decoder</artifactId>
<version>1.1.0</version>
<exclusions>
<exclusion>
<artifactId>mail</artifactId>
<groupId>javax.mail</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-smtp-decoder</artifactId>
<version>1.1.0</version>
<exclusions>
<exclusion>
<artifactId>activation</artifactId>
<groupId>javax.activation</groupId>
</exclusion>
<exclusion>
<artifactId>mail</artifactId>
<groupId>javax.mail</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-ftp-decoder</artifactId>
<version>1.2.0</version>
<exclusions>
<exclusion>
<artifactId>mail</artifactId>
<groupId>javax.mail</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-msn-decoder</artifactId>
<version>1.2.0</version>
<exclusions>
<exclusion>
<artifactId>mail</artifactId>
<groupId>javax.mail</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-netbios-decoder</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-pop3-decoder</artifactId>
<version>1.0.0</version>
<exclusions>
<exclusion>
<artifactId>mail</artifactId>
<groupId>javax.mail</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-dhcp-decoder</artifactId>
<version>1.0.1</version>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-snmp-decoder</artifactId>
<version>1.1.0</version>
<exclusions>
<exclusion>
<artifactId>mail</artifactId>
<groupId>javax.mail</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.krakenapps</groupId>
<artifactId>kraken-telnet-decoder</artifactId>
<version>1.0.0</version>
</dependency>
<dependency>
<groupId>jnetpcap</groupId>
<artifactId>jnetpcap</artifactId>
<version>1.4.r1425-1d</version>
</dependency>
<dependency>
<groupId>org.antlr</groupId>
<artifactId>antlr4-runtime</artifactId>
<version>4.5</version>
</dependency>
<dependency>
<groupId>org.drools</groupId>
<artifactId>drools-core</artifactId>
<version>6.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.drools</groupId>
<artifactId>drools-compiler</artifactId>
<version>6.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.kie</groupId>
<artifactId>kie-api</artifactId>
<version>6.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.3.3</version>
</dependency>
<dependency>
<groupId>commons-cli</groupId>
<artifactId>commons-cli</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-csv</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>dnsjava</groupId>
<artifactId>dnsjava</artifactId>
<version>2.1.7</version>
</dependency>
</dependencies>
<build>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.1</version>
<configuration>
<source>1.8</source>
<target>1.8</target>
<showWarnings>true</showWarnings>
<showDeprecation>true</showDeprecation>
<compilerArgument>-proc:none</compilerArgument>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.9.1</version>
<configuration>
<quiet>false</quiet>
<jarOutputDirectory>/home/stefan/IdeaProjects/rubanetra/target/archive</jarOutputDirectory>
<additionalparam>-Xdoclint:none</additionalparam>
</configuration>
<executions>
<execution>
<id>attach-javadocs</id>
<phase>prepare-package</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.16</version>
<configuration>
<skip>true</skip>
<systemPropertyVariables>
<logDirectory>/home/stefan/IdeaProjects/rubanetra/target/logs</logDirectory>
<logLevel>DEBUG</logLevel>
</systemPropertyVariables>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>2.4</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
<configuration>
<descriptors>
<descriptor>src/main/assembly/distribution-zip.xml</descriptor>
<descriptor>src/main/assembly/package-zip.xml</descriptor>
</descriptors>
<tarLongFileMode>gnu</tarLongFileMode>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>2.4</version>
<configuration>
<outputDirectory>/home/stefan/IdeaProjects/rubanetra/target/archive</outputDirectory>
<archive>
<manifest>
<addClasspath>true</addClasspath>
<!-- Workaround for Maven bug #MJAR-156 (https://jira.codehaus.org/browse/MJAR-156) -->
<useUniqueVersions>false</useUniqueVersions>
<classpathPrefix>./lib/</classpathPrefix>
<addExtensions>false</addExtensions>
<mainClass>at.jku.fim.rubanetra.config.ConfigurationController</mainClass>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
</manifest>
<manifestEntries>
<Class-Path>./conf/ /usr/lib/</Class-Path>
<Build-Java>1.8.0_45</Build-Java>
<Build-OS>Linux</Build-OS>
<Build-Arch>amd64</Build-Arch>
<License-Short-Name>GPLv3</License-Short-Name>
<License-Long-Name>GNU General Public License, Version 3</License-Long-Name>
<License-Url>https://gnu.org/licenses/gpl-3.0.txt</License-Url>
<License-Short-Header>This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
</License-Short-Header>
<License-Inception-Year>2013</License-Inception-Year>
<License-Recent-Years>2014</License-Recent-Years>
<Copyright-Owner>Stefan Swerk (stefan_rubanetra@swerk.priv.at)</Copyright-Owner>
<Issue-Management>http://gitlab.swerk.priv.at/stefan/rubanetra/issues</Issue-Management>
<Project-Home>http://gitlab.swerk.priv.at/stefan/rubanetra</Project-Home>
</manifestEntries>
</archive>
<excludes>
<exclude>**/*.properties</exclude>
<exclude>**/*.drl</exclude>
<exclude>**/*.xml</exclude>
<exclude>**/*.conf</exclude>
<exclude>kraken-workaround-repository/**</exclude>
<exclude>DefaultKnowledgeBase/**</exclude>
</excludes>
</configuration>
<executions>
<execution>
<phase>prepare-package</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>2.2.1</version>
<configuration>
<includePom>true</includePom>
<outputDirectory>/home/stefan/IdeaProjects/rubanetra/target/archive</outputDirectory>
</configuration>
<executions>
<execution>
<id>attach-sources</id>
<phase>prepare-package</phase>
<goals>
<goal>jar-no-fork</goal>
</goals>
</execution>
<execution>
<id>attach-test-sources</id>
<phase>prepare-package</phase>
<goals>
<goal>test-jar-no-fork</goal>
</goals>
<configuration>
<excludes>
<exclude>**/captures/**</exclude>
</excludes>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>1.8</version>
<executions>
<execution>
<phase>generate-sources</phase>
<goals>
<goal>add-source</goal>
</goals>
<configuration>
<sources>
<source>/home/stefan/IdeaProjects/rubanetra/target/generated-sources/antlr4</source>
</sources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.antlr</groupId>
<artifactId>antlr4-maven-plugin</artifactId>
<version>4.5</version>
<executions>
<execution>
<id>antlr</id>
<phase>generate-sources</phase>
<goals>
<goal>antlr4</goal>
</goals>
<configuration>
<!-- This options is currently not required, since this plugin looks for ANTLR grammars
in the directory 'main/antlr4' anyway-->
<!--<sourceDirectory>/home/stefan/IdeaProjects/rubanetra/src/main/java</sourceDirectory> -->
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.kie</groupId>
<artifactId>kie-maven-plugin</artifactId>
<version>6.1.0.Final</version>
<extensions>true</extensions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.8</version>
<executions>
<execution>
<id>copy-dependencies</id>
<phase>prepare-package</phase>
<goals>
<goal>copy-dependencies</goal>
</goals>
<configuration>
<outputDirectory>/home/stefan/IdeaProjects/rubanetra/target/lib</outputDirectory>
<overWriteReleases>false</overWriteReleases>
<overWriteSnapshots>false</overWriteSnapshots>
<overWriteIfNewer>true</overWriteIfNewer>
<useBaseVersion>true</useBaseVersion>
</configuration>
</execution>
<execution>
<id>unpack</id>
<phase>compile</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>jnetpcap</groupId>
<artifactId>jnetpcap</artifactId>
<version>1.4.r1425-1d</version>
<type>jar</type>
<overWrite>false</overWrite>
<outputDirectory>/home/stefan/IdeaProjects/rubanetra/target/lib/libjnetpcap
</outputDirectory>
</artifactItem>
</artifactItems>
<includes>native/**</includes>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>license-maven-plugin</artifactId>
<version>1.6</version>
<configuration>
<licenseName>gpl_v3</licenseName>
<copyrightOwners>Stefan Swerk (stefan_rubanetra@swerk.priv.at)</copyrightOwners>
<useMissingFile>true</useMissingFile>
<useRepositoryMissingFiles>true</useRepositoryMissingFiles>
<licenseMerges>
<licenseMerge>The Apache Software License, Version 2.0|Apache 2</licenseMerge>
<licenseMerge>The Apache Software License, Version 2.0|Apache
License
</licenseMerge>
<licenseMerge>The Apache Software License, Version 2.0|Apache
License, Version 2.0
</licenseMerge>
</licenseMerges>
</configuration>
<executions>
<execution>
<id>add-third-party</id>
<goals>
<goal>add-third-party</goal>
</goals>
<phase>process-sources</phase>
</execution>
<!--<execution>-->
<!--<id>download-licenses</id>-->
<!--<goals>-->
<!--<goal>download-licenses</goal>-->
<!--</goals>-->
<!--<phase>process-sources</phase>-->
<!--</execution>-->
<execution>
<id>update-project-license</id>
<goals>
<goal>update-project-license</goal>
</goals>
<phase>process-sources</phase>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.1</version>
<configuration>
<createChecksum>true</createChecksum>
</configuration>
</plugin>
<plugin>
<groupId>net.ju-n.maven.plugins</groupId>
<artifactId>checksum-maven-plugin</artifactId>
<version>1.2</version>
<executions>
<execution>
<goals>
<goal>artifacts</goal>
</goals>
</execution>
</executions>
<configuration>
<algorithms>
<algorithm>MD5</algorithm>
<algorithm>SHA-1</algorithm>
<algorithm>SHA-256</algorithm>
</algorithms>
</configuration>
</plugin>
<plugin>
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<version>2.6</version>
<configuration>
<header>src/license/gpl_v3/header.txt</header>
<properties>
<owner>Stefan Swerk</owner>
<year>2013</year>
<recentYears>2014</recentYears>
<currentYear>${maven.build.timestamp}</currentYear>
<email>stefan_rubanetra@swerk.priv.at</email>
</properties>
<useDefaultExcludes>true</useDefaultExcludes>
<mapping>
<drl>JAVADOC_STYLE</drl>
<g4>JAVADOC_STYLE</g4>
<conf>JAVADOC_STYLE</conf>
</mapping>
</configuration>
<executions>
<execution>
<id>license-basedir</id>
<phase>process-sources</phase>
<goals>
<goal>format</goal>
</goals>
<configuration>
<basedir>/home/stefan/IdeaProjects/rubanetra</basedir>
<excludes>
<exclude>**/README*</exclude>
<exclude>**/LICENSE*</exclude>
<exclude>src/license/gpl_v3/**</exclude>
<exclude>src/main/resources/kraken-workaround-repository/**</exclude>
<exclude>src/test/resources/captures/**</exclude>
</excludes>
<includes>
<include>pom.xml</include>
<include>src/**</include>
</includes>
</configuration>
</execution>
<execution>
<id>license-gen-src</id>
<phase>process-sources</phase>
<goals>
<goal>format</goal>
</goals>
<configuration>
<basedir>/home/stefan/IdeaProjects/rubanetra/target/generated-sources/antlr4</basedir>
<excludes>
<exclude>**/README*</exclude>
<exclude>**/LICENSE*</exclude>
<exclude>**/*.tokens</exclude>
</excludes>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
rubanetra-0.0.6-distribution/conf/logback.xml
+54
View File
@@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
This file is part of Rubanetra.
Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
-->
<configuration>
<appender name="CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<Target>System.err</Target>
<encoder>
<pattern>%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p - %m%n</pattern>
</encoder>
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>info</level>
</filter>
</appender>
<appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender-->
<Append>true</Append>
<File>./logs/rubanetra.log</File>
<encoder>
<pattern>%date %level [%thread] [%file:%line] - %msg%n</pattern>
</encoder>
<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>info</level>
</filter>
<rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
<maxIndex>5</maxIndex>
<FileNamePattern>./logs/rubanetra.log.%i</FileNamePattern>
</rollingPolicy>
<triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
<MaxFileSize>10MB</MaxFileSize>
</triggeringPolicy>
</appender>
<root level="info">
<appender-ref ref="CONSOLE"/>
<!-- uncomment the following line to enable file based logging -->
<!--<appender-ref ref="FILE"/>-->
</root>
</configuration>
rubanetra-0.0.6-distribution/conf/rubanetra.conf
+471
View File
@@ -0,0 +1,471 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* This file serves as the Rubanetra configuration entry point and will be looked up by the main executable jar.
* Therefore this file must be either directly available via classpath entry, or the file-path has to be passed via
* command line argument (for further details refer to the README file).
*
* While this file must contain all configuration sections, i.e. 'general', 'protocols', 'input' and 'output'
* at once, one may prefer to split certain dynamically changing configuration sections into separate and therefore
* replaceable files. However, please note that the general section must reside in a statically known location to the
* Rubanetra executable and the paths to the dynamically changed files must be defined in the appropriate sections.
*
* Since all configuration files will be parsed by ANTLRv4, the corresponding grammar defining the exact syntax
* is available in the source archive, see 'src/main/antlr4/.../RubanetraSystemConfiguration.g4'.
*/
/**
* #########################
* # General Configuration #
* #########################
*/
general {
/**
* Defines the base directory containing the Drools knowledge-base configuration.
* Currently this directory must contain:
* - 'META-INF' as subdirectory, containing:
* ~ 'kmodule.xml', the Drools configuration file, i.e. 'META-INF/kmodule.xml'
* ~ the subsequent Apache Maven configuration structure, i.e.:
* + 'maven/at.jku.fim/rubanetra/' sub-directories
* + 'maven/at.jku.fim/rubanetra/pom.xml' the project's Maven configuration file
* + 'maven/at.jku.fim/rubanetra/pom.properties' Maven-generated properties
*
* If this setting is changed, the default 'META-INF' directory should be removed either from the classpath
* or directly from the configuration directory (since this directory is by default in the classpath).
*
* Default value "./conf", this setting is mandatory.
*/
drools_configuration_directory = "./conf";
/**
* Defines the name of the Drools knowledge base to use for the reasoning process.
* This knowledge base name must be listed in the Drools knowledge base descriptor file 'kmodule.xml'.
* If this setting is not specified the default knowledge base as specified in the Drools descriptor file will
* be compiled and used.
*
* Default value "DefaultKnowledgeBase", this setting is optional.
*/
drools_base_model_name = "DefaultKnowledgeBase";
/**
* Defines the name of the Drools session to use for the reasoning process.
* This session name must be listed in the Drools knowledge base descriptor file 'kmodule.xml' as session entry
* under the specified (or the default) 'drools_base_model_name'.
* If this setting is not specified the default session name as specified in the Drools descriptor file will be
* used instead.
*
* Default value "DefaultSession", this setting is optional.
*/
drools_session_model_name = "DefaultSession";
};
/**
* ##########################
* # Protocol Configuration #
* # (Application Layer) #
* ##########################
*
* This section should be filled with application layer specific protocol settings, i.e. underlying lower layer
* protocol parser bindings and potential port filters, if applicable. The listed application layer parser settings
* also serve as a vital tool of directing the output generation engine. By default, any parser output below the
* application layer will be suppressed due to verboseness, however, this behaviour may be overturned by appropriate
* rule definitions inside the used Knowledge Base. For further information on how to achieve this, please refer to
* the documentation of Activity#setExcludedFromOutput(boolean).
* Additional Notes: An application layer parser will only produce output if all of the following conditions are met:
* - A protocol decoder pipeline has been setup, including all lower layer protocols,
* e.g.: L2 -> L3 -> L4 -> <application_layer_parser>
* - The destination port restriction may not be 'None' and has to include the relevant port(s).
* - The PCAP file actually contains relevant packets applicable to <application_layer_parser> and defined port(s).
*
* Furthermore, it is recommended to specify one protocol identifier per application layer protocol parser, however,
* remember that there must be a 1:1 mapping between a transport layer parser and an application layer parser, therefore
* the following example will not work:
* [HTTPandDNSoverTCP]:
* port = ALL;
* protocol_binding = Ethernet -> Ipv4;
* protocol_binding = Ipv4 -> Tcp;
* protocol_binding = Tcp -> Http;
* protocol_binding = Tcp -> Dns;
*
* In general, the following implementation constraints may be observed:
* - 1:n mapping between Layer1 (Pcap) and Layer2 (link) parsers
* - n:m mapping between Layer2 (link) and Layer3 (IP), Layer3 and Layer4 (transport) parsers
* - 1:1 mapping between Layer4 (transport) and application layer parsers
*
* On the other hand, if extremely fine grained control over the actual PCAP data is required, see the BPF setting
* in the 'input' configuration section.
*
* If the Drools knowledge base contains rules that require certain protocol parsers, those parsers must be referenced
* at least one time in this configuration section. However, rule based parsers must be configured entirely in the
* Drools rule files.
*/
protocols {
/**
* If a 'protocol_configuration_file' setting is specified all remaining protocol specific settings will be looked
* up in the referenced file. This file must exist and be readable for the invoking process.
* Note, however, that there will be no explicit checks against configuration file dereferencing chains, i.e.
* it should be ensured that there is no 'protocol_configuration_file' setting in the referenced file again.
* The referenced file must contain a "protocols {};" section containing the entire protocol specific configuration.
*
* This setting is optional, but if it is specified all remaining protocol specific settings in the
* main configuration file will be ignored.
*/
//protocol_configuration_file = "/path/to/protocol.conf";
/**
* An unique protocol id should be defined for each application layer protocol parser that should be used, i.e.
* by default the name of an application layer protocol should suffice.
* Syntax: '[ Protocol_ID ]:', where Protocol_ID represents an unique protocol identifier conforming
* to ([a-zA-Z]+ DIGIT*)+.
* A number of protocol specific settings may be specified subsequently.
* This setting may be repeated multiple times for configuring different protocol parsers.
*
* Constraints: It is currently not defined what will happen in the case of multiple different protocol ids that
* contain exactly the same protocol bindings. Consider for instance:
* [HTTP]: ... as below ...
* [HTTP1]: ... as [HTTP] ...
*
* The rule engine will probably receive double notifications for all HTTP related events in this case and this
* could lead to severe issues during the reasoning process and the corresponding output (two identical frame numbers
* for two different parser instances).
*/
[HTTP]:
/**
* The strategy to use for mapping Kraken's transport layer parsers to the application layer parsers.
* Currently only the destination port strategy has been implemented, i.e. an application layer parser receives
* packets that match the specified destination port number(s) defined by the "port" setting.
*
* Default value "destination_port", this setting is required.
*/
transport_layer_mapping_strategy = destination_port;
/**
* Restricts the transport layer parser (UDP/TCP) to the specified destination ports and/or port-ranges.
* A similar result could be achieved globally (and more efficiently) via the input BPF filter setting.
*
* Default value "80", this setting is required if the mapping strategy used is "destination_port".
* Exemplary values:
* - ALL or ANY, i.e. do not apply any port based restriction to the parser (matches all ports)
* - NONE, i.e. disable this protocol since no ports will be allowed (matches no ports)
* - 80, i.e. match only packets with destination port 80, any valid port numbers are allowed
* - 80,8080,8081 matches packets with destination port 80 or 8080 or 8081
* - 80,8080-8088 matches packets with destination port 80 or the destination port range 8080-8088
* Warning: A setting of ALL should be used with care, as it may cause a library decoder to crash and
* prevent the continued parsing process of valid HTTP data.
*/
port = 80;
/**
* The "protocol_binding" setting binds an available protocol parser to another protocol parser that is capable
* of decoding the previously "unwrapped/decoded" content. Usually this setting should be used to define
* the network layer decoding pipeline. The lowest network layer parser available is currently a
* layer 2 parser, e.g. ethernet. Layer 1 (basically PCAP-entries) may be implicitly assumed to be always
* provided in decoded form.
* A network layer protocol parser is always identified by the unique protocol identifier that this parser is
* advertising as capable of decoding. Unless custom protocol parsers have been registered, the following parsers
* should be available:
* Ethernet, Arp,
* Ipv4, Ipv6, Icmpv4, Icmpv6,
* Tcp, Udp,
* Telnet, Snmp, Netbios, Dhcp, Pop3, Msn, Ftp, Dns, Smtp, Http
*
* This setting is not required, however, if no bindings are specified no parsers will be setup.
* This setting must be specified multiple times in case of different bindings for the same higher layer protocol
* parser, i.e. the entire network layer stack below the highest defined protocol parser layer must be bound.
* For instance, if the highest network layer protocol specified is TCP (layer 4), a layer 2 parser
* must be bound to layer 3 and a layer 3 parser must be bound to tcp. If the parsers are incompatible or the
* pipeline is not complete, the parser of the highest layer will not receive any decoded data.
* Multiple lower layer parsers leading to a common higher layer parser are nevertheless allowed, e.g.
* ethernet -> ipv4, ethernet -> ipv6,
* ipv4 -> tcp, ipv6 -> tcp,
* tcp -> http
*
* In general, the following implementation constraints may be observed:
* - 1:n mapping between Layer1 (Pcap) and Layer2 (link) parsers
* - n:m mapping between Layer2 (link) and Layer3 (IP), Layer3 and Layer4 (transport) parsers
* - 1:1 mapping between Layer4 (transport) and application layer parsers
*
* Note: Not all theoretically possible bindings are implemented, e.g. a binding from ethernet -> http will
* cause a runtime exception because the Http-parser handles decoded TCP/IP-data only.
* It is also discouraged to bind a higher layer parser to a lower layer, e.g. http -> tcp, since this will
* depend solely on the individual parser implementation on how this case is handled and should therefore
* be avoided.
*/
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Tcp -> Http;
/**
* Example of a possible DNS protocol parser pipeline setup. Note that larger DNS messages are sent via
* the TCP transport layer instead of UDP. This pipeline is capable of handling Ethernet, IPv4/IPv6, UDP/TCP and
* the DNS parsers. however, the TCP -> DNS parser is currently considered experimental.
*/
[DNS]:
transport_layer_mapping_strategy = destination_port;
port = Any;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv4 -> Udp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Ipv6 -> Udp;
protocol_binding = Tcp -> Dns;
protocol_binding = Udp -> Dns;
/**
* Exemplary SNMP v1/v2 Pipeline configuration.
* (default: disabled)
*/
[SNMPv1v2]:
transport_layer_mapping_strategy = destination_port;
port = None;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Udp;
protocol_binding = Ipv6 -> Udp;
protocol_binding = Udp -> Snmp;
/**
* Exemplary DHCP Pipeline configuration.
* (default: enabled for port 67,68)
*/
[DHCP]:
transport_layer_mapping_strategy = destination_port;
port = 67,68;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Udp;
protocol_binding = Ipv6 -> Udp;
protocol_binding = Udp -> Dhcp;
/**
* Exemplary Netbios Pipeline configuration.
* (default: disabled)
*/
[Netbios]:
transport_layer_mapping_strategy = destination_port;
port = None;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Udp;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv6 -> Udp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Udp -> Netbios;
protocol_binding = Tcp -> Netbios;
/**
* Exemplary Msn Pipeline configuration.
* (default: disabled)
*/
[MSN]:
transport_layer_mapping_strategy = destination_port;
port = None;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Tcp -> Msn;
/**
* Exemplary Ftp Pipeline configuration.
* (default: disabled)
*/
[FTP]:
transport_layer_mapping_strategy = destination_port;
port = None;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Tcp -> Ftp;
/**
* Exemplary Pop3 Pipeline configuration.
* (default: enabled for ports 110, 995)
*/
[Pop3]:
transport_layer_mapping_strategy = destination_port;
port = 110, 995;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Tcp -> Pop3;
/**
* Exemplary Telnet Pipeline configuration.
* (default: enabled for port 23)
*/
[Telnet]:
transport_layer_mapping_strategy = destination_port;
port = 23;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Tcp -> Telnet;
/**
* Exemplary Smtp Pipeline configuration.
* (default: enabled for ports 25, 587, 465)
*/
[SMTP]:
transport_layer_mapping_strategy = destination_port;
port = 25, 587, 465;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Tcp;
protocol_binding = Ipv6 -> Tcp;
protocol_binding = Tcp -> Smtp;
/**
* Exemplary ICMPv4/v6 Pipeline configuration.
* (default: enabled, a port based restriction is not possible)
*/
[ICMP]:
transport_layer_mapping_strategy = destination_port;
port = None;
protocol_binding = Ethernet -> Ipv4;
protocol_binding = Ethernet -> Ipv6;
protocol_binding = Ipv4 -> Icmpv4;
protocol_binding = Ipv6 -> Icmpv6;
};
/**
* #######################
* # Input Configuration #
* #######################
*/
input {
/**
* If a 'input_configuration_file' setting is specified, all remaining input specific settings will be looked
* up in the referenced file. This file must exist and be readable for the invoking process.
* Note, however, that there will be no explicit checks against configuration file dereferencing chains, i.e.
* it should be ensured that there is no 'input_configuration_file' setting in the referenced file again.
* The referenced file must contain a "input {};" section containing the entire input specific configuration.
*
* This setting is optional, but if it is specified all remaining input specific settings in the
* main configuration file will be ignored.
*/
//input_configuration_file = "path/to/input.conf";
/**
* The path to the input files to parse. All specified files must adhere to the format specified by
* the "input_format" setting.
*
* This setting is required, syntax (curly braces indicate arbitrary repetitions and must not be included):
* input_file = "/path/to/file1" {, "/path/to/another/file"};
* This setting may be specified multiple times, all occurrences will be processed.
*
* Notes: Input files that were specified by using the command line interface will not replace the input_file
* specifications of this section, i.e. all sources will be combined and processed.
*/
//input_file = "path/to/input/file";
/**
* The format of the specified input files.
* Currently only a pcap parser has been implemented.
*
* This setting is required.
*/
input_format = pcap;
/**
* A Berkeley Packet Filter string to facilitate an efficient way to filter the entire PCAP-Stream before it is
* passed to the parsers. This string will be compiled and applied by the native PCAP-decoding library by the means
* of JNetPcap.
*
* This setting is optional.
* Syntax definition: <https://www.wireshark.org/docs/man-pages/pcap-filter.html>.
*/
bpf_filter = "";
/**
* The Berkeley Packet Filter optimization flag.
* This boolean value will be passed along the bpf_netmask and the bpf_filter string to the native PCAP decoding
* library and indicates whether or not the bpf_filter string should be optimized by the compiler.
*
* This setting is optional, default value = false.
*/
bpf_optimize = false;
/**
* If this setting is set to true, all specified input files will be opened and the first content entry will be
* parsed respectively, i.e. the timestamp of the first entry in each file will be analyzed and compared.
* The File-Handler will then try to sort all files chronologically according to this timestamp, so that
* the "real" parsing process provides all packet capture entries in the original order (the oldest entry will
* be parsed first).
* Because this process relies only on the first timestamp of each file, it cannot handle overlapping
* time-intervals.
*
* This setting is optional, default value: false
* Possible values:
* - false, i.e. parse in the order the files were specified in the configuration itself.
* - true, try to sort all files chronologically according to the timestamp of their first network capture entry.
*/
sort_by_first_timestamp = false;
};
/**
* ########################
* # Output Configuration #
* ########################
*/
output {
/**
* If a 'output_configuration_file' setting is specified, all remaining output specific settings will be looked
* up in the referenced file. This file must exist and be readable for the invoking process.
* Note, however, that there will be no explicit checks against configuration file dereferencing chains, i.e.
* it should be ensured that there is no 'output_configuration_file' setting in the referenced file again.
* The referenced file must contain a "output {};" section containing the entire output specific configuration.
*
* This setting is optional, but if it is specified all remaining output specific settings in the
* main configuration file will be ignored.
*/
//output_configuration_file = "path/to/output.conf";
/**
* The file descriptor to use for writing the derived information to. The information will be transformed
* according to the specified output_format before it is written to the output-stream.
*
* This setting is required, default value: stdout.
* The file or stream must be writable by the invoking process.
* Possible values:
* - STDOUT, the standard output stream
* - "path/to/a/file", a file-path
*/
output_file = stdout;
/**
* The output format that is used to transform the derived information to before writing it to "output_file".
*
* This setting is required, default value: plaso
* Possible values:
* - plaso, a format that can be parsed by the provided Plaso specific parser (currently XML)
* - xml, however, without a schema definition
* - json
* - csv, generic/limited comma separated value content will be produced
* If extended output for certain activities is desired, a custom CSV schema has to be provided first.
* - nop, does not write anything to "output_file".
* - callback, as 'nop', mainly interesting for developers/testing.
*/
output_format = plaso;
};