Import from old repository
This commit is contained in:
+85
@@ -0,0 +1,85 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.arp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dhcp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ethernet.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ftp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.msn.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.netbios.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.pop3.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.skype.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.smtp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.snmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.telnet.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.udp.*;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* The following statements declare the metadata of already existing Java abstract classes/interfaces of the
|
||||
* at.jku.fim.rubanetra.protocol.activity package.
|
||||
* Specifically it defines these classes as events using the start-timestamp of the activity itself
|
||||
* as the actual timestamp (used for reasoning) and sets the expiration time of the individual objects.
|
||||
* If the objects should not expire based on this timer, remove or adapt the @expires attributes.
|
||||
* Note, however, unless these attributes are overwritten on the Activity-class implementation level, these settings
|
||||
* will be inherited for all activities (since all Activity-implementations should extend or implement one of the
|
||||
* abstract classes/interfaces listed below.
|
||||
*/
|
||||
|
||||
declare DroolsBaseActivity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
@expires( 30m )
|
||||
end
|
||||
|
||||
declare Activity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
@expires( 30m )
|
||||
end
|
||||
|
||||
declare ReplaceableActivity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
@expires( 30m )
|
||||
end
|
||||
|
||||
declare AbstractActivity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
@expires( 30m )
|
||||
end
|
||||
|
||||
declare AbstractReplaceableActivity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
@expires( 30m )
|
||||
end
|
||||
+44
@@ -0,0 +1,44 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* This global variable constitutes the default output writer that is used to write derived facts, i.e. Activity objects,
|
||||
* to the final output stream.
|
||||
*/
|
||||
global at.jku.fim.rubanetra.output.OutputWriterStrategy outputWriter;
|
||||
|
||||
/**
|
||||
* This rule will ensure that all encountered OutputActivityEvents will be written to the final output stream,
|
||||
* as long as the enclosed Activity 'toOutput' is not null and the global 'outputWriter' exists.
|
||||
* The encountered, valid OutputActivityEvent will be retracted afterwards.
|
||||
* This behaviour is useful to free memory in case the default event expiration time is not defined or
|
||||
* set to a high value.
|
||||
*/
|
||||
rule "Write to OutputStream (event-based)"
|
||||
when
|
||||
$outEvent : OutputActivityEvent(toOutput != null)
|
||||
then
|
||||
if (outputWriter != null) {
|
||||
outputWriter.writeActivity($outEvent.getToOutput());
|
||||
}
|
||||
retract($outEvent);
|
||||
end
|
||||
+201
@@ -0,0 +1,201 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||||
import org.xbill.DNS.*;
|
||||
import org.apache.http.HttpHeaders;
|
||||
import org.jnetpcap.protocol.tcpip.Tcp;
|
||||
import org.jnetpcap.packet.PcapPacket;
|
||||
import org.apache.commons.codec.binary.Hex;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.util.HashSet;
|
||||
import java.util.Date
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
import org.xbill.DNS.Record;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
/**
|
||||
* This declaration serves as an example to demonstrate the basic attribute overriding process.
|
||||
* Usually this class extends the Activity-interface and is declared to be an event.
|
||||
* However, currently no time-based reasoning will be performed for these objects, therefore it can be
|
||||
* converted to a Fact.
|
||||
* This declaration may be removed to use the default attributes again (see 00.Basic.Metadata.drl).
|
||||
*/
|
||||
declare HttpImageActivity
|
||||
@role( fact )
|
||||
@author( Stefan Swerk )
|
||||
@dateOfCreation( 10.01.2014 )
|
||||
end
|
||||
|
||||
/**
|
||||
* The following Tcp declaration represents the jNetPcap-Tcp class, see org.jnetpcap.protocol.tcpip.Tcp.
|
||||
* Due to 'Tcp' being a Java class of a different library it cannot extend or implement one of the Activity
|
||||
* base classes and therefore is not treated as a Drools-event per se. Therefore, the metadata of this custom
|
||||
* class must be defined individually, which can be interpreted as a forward declaration.
|
||||
*/
|
||||
declare Tcp
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getPacket().getCaptureHeader().timestampInMillis() )
|
||||
@expires( 30m )
|
||||
end
|
||||
|
||||
/**
|
||||
* Currently it appears as if the Tcp-decoder of the Kraken library does not parse all valid Tcp-packets successfully.
|
||||
* As a kind of workaround this rule has been defined to fallback to the jNetPcap library (hence the previous Tcp-forward
|
||||
* declaration) for all IPv4 activities that indicate TCP as the encapsulated protocol,
|
||||
* but that have not been decoded by the Kraken-Tcp-Decoder until now.
|
||||
* This rule will ensure that an appropriate drop-in TcpActivity will be created and inserted in the event-stream,
|
||||
* which may be used by other rules.
|
||||
*/
|
||||
rule "TCP (work around Kraken limitation)"
|
||||
when
|
||||
$ip : Ipv4Activity(ipv4.nextHeaderId == Tcp.ID)
|
||||
not (exists TcpActivity(pcapActivity == $ip.pcapActivity))
|
||||
then
|
||||
Tcp tcp = new Tcp();
|
||||
PcapPacket p = $ip.getPcapActivity().getPcapPacket();
|
||||
p.hasHeader(tcp);
|
||||
log.debug("A workaround Tcp-Activity will be created for frames {}", $ip.getCompoundFrameNumbers());
|
||||
|
||||
TcpActivity tcpActivity = new TcpActivity($ip.getPcapActivity(),tcp,$ip);
|
||||
tcpActivity.replaceActivity($ip);
|
||||
insert(tcpActivity);
|
||||
end
|
||||
|
||||
/**
|
||||
* This rules makes use of a custom entry-point called "fact-stream" and the previously declared fact-attribute of
|
||||
* HttpImageActivity. If a HttpActivity is encountered containing an response that defined an "image/..." content_type
|
||||
* header, it may be assumed that this reponse was used for delivering image data and the corresponding URL of the request
|
||||
* contained the image path.
|
||||
*/
|
||||
rule "Http Image Activity"
|
||||
no-loop
|
||||
when
|
||||
$httpActivity : HttpActivity($contentType : response.responseHeaderMap[HttpHeaders.CONTENT_TYPE] matches "image/.*",
|
||||
imageActivities.isEmpty())
|
||||
then
|
||||
log.debug("An HttpImageActivity based on the content type was found for frames {}", $httpActivity.getCompoundFrameNumbers());
|
||||
|
||||
HttpImageActivity imgAct = new HttpImageActivity($httpActivity);
|
||||
imgAct.setImagePath($httpActivity.getRequest().getUrl().getFile());
|
||||
imgAct.setImageType($contentType);
|
||||
imgAct.setStartInstant($httpActivity.getStartInstant());
|
||||
imgAct.setEndInstant($httpActivity.getEndInstant());
|
||||
drools.getEntryPoint("fact-stream").insert(imgAct);
|
||||
modify($httpActivity){
|
||||
addImageActivity(imgAct)
|
||||
}
|
||||
end
|
||||
|
||||
/**
|
||||
* This rule fires iff there is a HttpImageActivity whose Requests REFERER Header field matches the Request-URI of
|
||||
* another HttpActivity, i.e. it collects ImageActivities which may be related to a single HttpActivity.
|
||||
* Consider the following example: A user queries a HTML-Resource that contains external image resources,
|
||||
* and usually the browser creates subsequent HTTP requests for the image data retrieval.
|
||||
* Whenever the Browser sets the Referer header field for those separate requests, we could correlate those separate
|
||||
* image requests with a single HTML resource request.
|
||||
*/
|
||||
rule "Collect Http Image Activities (based on referer header)"
|
||||
when
|
||||
$http : HttpActivity($req : request, $reqResource : request.url.toString())
|
||||
$imgAct : HttpImageActivity(this not memberOf $http.imageActivities,
|
||||
source#HttpActivity.request.requestHeaderMap[HttpHeaders.REFERER] matches $reqResource)
|
||||
from entry-point "fact-stream"
|
||||
|
||||
// add an additional time based constraint
|
||||
// $htmlRequest : HttpRequestActivity( pcapActivity == $req.pcapActivity)
|
||||
// $imgRequest : HttpRequestActivity( pcapActivity == $imgAct.source#HttpActivity.request.pcapActivity,
|
||||
// this after[0s,10s] $htmlRequest)
|
||||
//
|
||||
// match a single image request for an image resource to a single request for an html resource only
|
||||
// not (exists HttpRequestActivity(pcapActivity != $htmlRequest.pcapActivity,
|
||||
// url.toString() matches $reqResource,
|
||||
// this before $imgRequest))
|
||||
then
|
||||
modify($http) {
|
||||
addImageActivity($imgAct)
|
||||
}
|
||||
end
|
||||
|
||||
/**
|
||||
* Currently the event stream will only contain not yet matched HttpRequests and HttpResponses.
|
||||
* Since the reasoning process will be enhanced by correlated each request to a response this rule tries to achieve
|
||||
* a simple matching mechanism based on the TCP/IP source and destination port and address.
|
||||
*/
|
||||
rule "Http Request and Response Matching (based on TCP/IP source/destination and time)"
|
||||
when
|
||||
$tcpReq : TcpActivity( $reqId := pcapActivity, $src : sourceAddress, $dst : destinationAddress)
|
||||
$request : HttpRequestActivity( $reqId := pcapActivity)
|
||||
|
||||
$tcpResp : TcpActivity( $respId : pcapActivity, $tcpReq.sourcePort == destinationPort,
|
||||
$src == destinationAddress, $dst == sourceAddress)
|
||||
$response : HttpResponseActivity(pcapActivity == $respId, this after[0s,1m] $request)
|
||||
|
||||
not (exists HttpActivity(request == $request || response == $response))
|
||||
|
||||
then
|
||||
HttpActivity activity = new HttpActivity($request, $response);
|
||||
log.debug("A HttpRequest was matched with a HttpResponse (frames {})", activity.getCompoundFrameNumbers());
|
||||
|
||||
insert(activity);
|
||||
end
|
||||
|
||||
/**
|
||||
* This rule tries to match a DNS response to a an already existing HttpActivity using the hostname header field and
|
||||
* a maximum interval between the DNS response and the Http response of [0s;20s].
|
||||
* An already existing DNS match of a HttpActivity will not be overwritten.
|
||||
*/
|
||||
rule "HttpActivity as a potential result of a preceding DNS activity"
|
||||
when
|
||||
$http : HttpActivity($hostHeader : request.requestHeaderMap[HttpHeaders.HOST], dnsMatch==null)
|
||||
$dnsResponse : DnsActivity(isResponse(), this before[0s,20s] $http)
|
||||
|
||||
/**
|
||||
* The first two checks are IP based, i.e: was the ip address from the DNS A/AAAA record called and does it match the HTTP server IP?
|
||||
* The last check is domain based, i.e. the "Host:"-Header field from the HttpRequest is compared against the DNS name reply.
|
||||
*/
|
||||
exists( ARecord( $address : getAddress(), $address!.getHostAddress() == $http.request.serverAddress.getAddress().getHostAddress())
|
||||
from $dnsResponse.getAnswerRecords()
|
||||
or AAAARecord( $address : getAddress(), $address!.getHostAddress() == $http.request.serverAddress.getAddress().getHostAddress())
|
||||
from $dnsResponse.getAnswerRecords()
|
||||
or Record( $address : name, $address!.toString().startsWith($hostHeader))
|
||||
from $dnsResponse.getAnswerRecords()
|
||||
)
|
||||
then
|
||||
// At this point there was a preceding DNS response and a matching subsequent HTTP Request and Response
|
||||
modify($http) {
|
||||
setDnsMatch($dnsResponse);
|
||||
};
|
||||
end
|
||||
+93
@@ -0,0 +1,93 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
import org.xbill.DNS.Record;
|
||||
import java.net.InetSocketAddress
|
||||
import java.util.List;
|
||||
import java.util.Set
|
||||
import java.util.HashSet;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
/**
|
||||
* This experimental rule looks for sequences of three related TCP-activities, i.e.:
|
||||
* First, it tries to find a "ClientHello" Packet (according to the TLS handshake) followed by a "ServerHello".
|
||||
* Finally an additional "ChangeCipher" message is expected before classifying this sequence as a TLS/SSL stream, see
|
||||
* RFC 5246 (https://tools.ietf.org/html/rfc5246).
|
||||
* The remaining packets will be assembled by the "TLS traffic"-rules (see below)
|
||||
*/
|
||||
rule "TLS Handshake"
|
||||
when
|
||||
$clientHello : TcpActivity( $payload : payloadHexFormattedDump(), $payload!=null,
|
||||
TlsActivityHelper.isClientHello(tcp))
|
||||
$serverHello : TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
|
||||
destinationSocketAddress==$clientHello.sourceSocketAddress,
|
||||
TlsActivityHelper.isServerHello(tcp),
|
||||
this after[0s,10s] $clientHello)
|
||||
$changeCipher : TcpActivity(sourceSocketAddress==$clientHello.destinationSocketAddress,
|
||||
destinationSocketAddress==$clientHello.sourceSocketAddress,
|
||||
TlsActivityHelper.isChangeCipherSpec(tcp),
|
||||
this after[0s,10s] $serverHello)
|
||||
|
||||
exists TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
|
||||
destinationSocketAddress==$clientHello.sourceSocketAddress,
|
||||
TlsActivityHelper.isChangeCipherSpec(tcp),
|
||||
this after[0s,10s] $changeCipher)
|
||||
not (exists TlsActivity(clientHello==$clientHello || serverHello==$serverHello || changeCipherSpec==$changeCipher))
|
||||
then
|
||||
TlsActivity tls = new TlsActivity($clientHello,$serverHello);
|
||||
tls.setChangeCipherSpec($changeCipher);
|
||||
insert(tls);
|
||||
end
|
||||
|
||||
/**
|
||||
* Collects TCP activities for a given TlsActivity (client to server only) based on source/destionation ip/port
|
||||
*/
|
||||
rule "TLS traffic (client -> server)"
|
||||
when
|
||||
$tls : TlsActivity($clientHello : clientHello)
|
||||
$tcp : TcpActivity( sourceSocketAddress==$clientHello.sourceSocketAddress,
|
||||
destinationSocketAddress==$clientHello.destinationSocketAddress)
|
||||
then
|
||||
$tls.addClientToServerTcpActivity($tcp);
|
||||
end
|
||||
|
||||
/**
|
||||
* Collects TCP activities for a given TlsActivity (server to client only) based on source/destionation ip/port
|
||||
*/
|
||||
rule "TLS traffic (server -> client)"
|
||||
when
|
||||
$tls : TlsActivity($serverHello : serverHello)
|
||||
$tcp : TcpActivity( sourceSocketAddress==$serverHello.sourceSocketAddress,
|
||||
destinationSocketAddress==$serverHello.destinationSocketAddress)
|
||||
then
|
||||
$tls.addServerToClientTcpActivity($tcp);
|
||||
end
|
||||
+77
@@ -0,0 +1,77 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||||
import org.xbill.DNS.*;
|
||||
import org.apache.http.HttpHeaders;
|
||||
import org.jnetpcap.protocol.tcpip.Tcp;
|
||||
import org.jnetpcap.packet.PcapPacket;
|
||||
import org.apache.commons.codec.binary.Hex;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.util.HashSet;
|
||||
import java.util.Date
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
import org.xbill.DNS.Record;
|
||||
import java.net.InetSocketAddress
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
// this forward declaration is required to demonstrate the in-place definition of a custom event class,
|
||||
// see HttpsActivity below
|
||||
declare DroolsBaseActivity
|
||||
end
|
||||
|
||||
/**
|
||||
* This declaration demonstrates an in-place declaration of a custom event class.
|
||||
* A HttpsActivity currently consists of a client/server socket address and TLS-Activity, however,
|
||||
* it includes all relevant frame numbers for further analysis because it replaces the TLS-activity.
|
||||
*/
|
||||
declare HttpsActivity extends DroolsBaseActivity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
|
||||
client : InetSocketAddress
|
||||
server : InetSocketAddress
|
||||
tlsActivity : TlsActivity
|
||||
end
|
||||
|
||||
rule "HTTPS" when
|
||||
$tls : TlsActivity( clientHello.destinationPort == 443, !replaced)
|
||||
not (exists HttpsActivity($tls == tlsActivity))
|
||||
then
|
||||
HttpsActivity httpsActivity = new HttpsActivity();
|
||||
httpsActivity.setClient($tls.getClientHello().getSourceSocketAddress());
|
||||
httpsActivity.setServer($tls.getClientHello().getDestinationSocketAddress());
|
||||
httpsActivity.setTlsActivity($tls);
|
||||
httpsActivity.replaceActivity($tls);
|
||||
insert(httpsActivity);
|
||||
end
|
||||
+46
@@ -0,0 +1,46 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import org.xbill.DNS.*;
|
||||
import org.jnetpcap.protocol.network.Icmp.IcmpCode;
|
||||
import org.jnetpcap.protocol.network.Icmp.IcmpType;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
/**
|
||||
* Groups ICMP echo requests and echo replies to a PingActivity
|
||||
*/
|
||||
rule "Ping (Icmpv4)"
|
||||
when
|
||||
$req : Icmpv4Activity( $id : identifier, $seq : sequence, icmpType == IcmpType.ECHO_REQUEST)
|
||||
$rep : Icmpv4Activity( identifier == $id, sequence == $seq, icmpType == IcmpType.ECHO_REPLY)
|
||||
|
||||
not (exists PingActivity(request == $req || reply == $rep))
|
||||
then
|
||||
insert(new PingActivity($req, $rep));
|
||||
end
|
||||
+112
@@ -0,0 +1,112 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
|
||||
import java.util.HashSet;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
/**
|
||||
* forward declaration, used for declaring the OpenSSHActivity
|
||||
*/
|
||||
declare DroolsBaseActivity
|
||||
end
|
||||
|
||||
/**
|
||||
* Represents OpenSSH traffic between a client and a server.
|
||||
*/
|
||||
declare OpenSSHActivity extends DroolsBaseActivity
|
||||
@role( event )
|
||||
@timestamp( getStartTimestamp() )
|
||||
|
||||
handshakeQuery : TcpActivity
|
||||
handshakeReply : TcpActivity
|
||||
|
||||
clientToServerTraffic : HashSet
|
||||
serverToClientTraffic : HashSet
|
||||
end
|
||||
|
||||
/**
|
||||
* Tries to identfiy an OpenSSH handshake by relying on the presence of the 'SSH-' substring of the
|
||||
* payload to identify the handshake.
|
||||
*/
|
||||
rule "OpenSSH Handshake"
|
||||
when
|
||||
$handshakeQuery : TcpActivity( payloadString!.startsWith("SSH-"),
|
||||
payloadString!.contains("OpenSSH"))
|
||||
$handshakeReply : TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
|
||||
payloadString!.startsWith("SSH-"),
|
||||
payloadString!.contains("OpenSSH"),
|
||||
sourcePort==$handshakeQuery.destinationPort,
|
||||
destinationPort==$handshakeQuery.sourcePort,
|
||||
this after[0s,10s] $handshakeQuery)
|
||||
|
||||
// there should not exist another reply before the matched reply
|
||||
not(exists TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
|
||||
payloadString!.startsWith("SSH-"),
|
||||
sourcePort==$handshakeQuery.destinationPort, destinationPort==$handshakeQuery.sourcePort,
|
||||
this before $handshakeReply, this after $handshakeQuery))
|
||||
then
|
||||
OpenSSHActivity sshAct = new OpenSSHActivity();
|
||||
sshAct.setHandshakeQuery($handshakeQuery);
|
||||
sshAct.setHandshakeReply($handshakeReply);
|
||||
sshAct.setClientToServerTraffic(new HashSet());
|
||||
sshAct.setServerToClientTraffic(new HashSet());
|
||||
sshAct.replaceActivity($handshakeQuery);
|
||||
sshAct.replaceActivity($handshakeReply);
|
||||
insert(sshAct);
|
||||
end
|
||||
|
||||
/**
|
||||
* Collects client to server traffic (TCP activities)
|
||||
*/
|
||||
rule "OpenSSH traffic (client -> server)"
|
||||
when
|
||||
$sshAct : OpenSSHActivity()
|
||||
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
|
||||
sourceSocketAddress==$sshAct.handshakeQuery.sourceSocketAddress,
|
||||
destinationSocketAddress==$sshAct.handshakeQuery.destinationSocketAddress)
|
||||
then
|
||||
$sshAct.getClientToServerTraffic().addAll($tcp.getCompoundFrameNumbers());
|
||||
$sshAct.replaceActivity($tcp);
|
||||
end
|
||||
|
||||
/**
|
||||
* Collects server to client traffic (TCP activities)
|
||||
*/
|
||||
rule "OpenSSH traffic (server -> client)"
|
||||
when
|
||||
$sshAct : OpenSSHActivity()
|
||||
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
|
||||
sourceSocketAddress==$sshAct.handshakeReply.sourceSocketAddress,
|
||||
destinationSocketAddress==$sshAct.handshakeReply.destinationSocketAddress)
|
||||
then
|
||||
$sshAct.getServerToClientTraffic().addAll($tcp.getCompoundFrameNumbers());
|
||||
$sshAct.replaceActivity($tcp);
|
||||
end
|
||||
+93
@@ -0,0 +1,93 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
import org.xbill.DNS.Record;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.HashSet;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
// forward declaration
|
||||
declare DroolsBaseActivity
|
||||
end
|
||||
|
||||
/**
|
||||
* A DropboxTlsActivity contains a DNS query/reply, client/server address/port and the associated Tls-Activity
|
||||
*/
|
||||
declare DropboxTlsActivity extends DroolsBaseActivity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
|
||||
dnsQuestion : DnsActivity
|
||||
dnsAnswer : DnsActivity
|
||||
|
||||
clientAddress : InetSocketAddress
|
||||
serverAddress : InetSocketAddress
|
||||
|
||||
associatedTlsActivity : TlsActivity
|
||||
end
|
||||
|
||||
/**
|
||||
* Due to the generally encrypted dropbox traffic a DnsActivity containing the rule looks for query to "*.dropbox.com"
|
||||
* first and gathers the relevant Ip-Addresses for which possible TlsActivitiy-objects will be probed against.
|
||||
*/
|
||||
rule "Dropbox TLS traffic based on previous DnsActivity"
|
||||
when
|
||||
$dnsQuery : DnsActivity(!isResponse(), !questionRecords.isEmpty(),
|
||||
$queryId : dnsMessageHeader.ID,$question : dnsMessage.question.name,
|
||||
$question.toString() matches ".*\\.dropbox.com\\.$")
|
||||
$dnsReply : DnsActivity(isResponse(),!answerRecords.isEmpty(),
|
||||
dnsMessageHeader.ID == $queryId,
|
||||
this after[0s,10s] $dnsQuery)
|
||||
$tls : TlsActivity(this after[0s,10s] $dnsReply)
|
||||
|
||||
exists ( ARecord( $address : getAddress(),
|
||||
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
|
||||
from $dnsReply.getAnswerRecords()
|
||||
or AAAARecord( $address : getAddress(),
|
||||
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
|
||||
from $dnsReply.getAnswerRecords()
|
||||
)
|
||||
not ( exists DropboxTlsActivity($tls == associatedTlsActivity))
|
||||
then
|
||||
DropboxTlsActivity act = new DropboxTlsActivity();
|
||||
act.setClientAddress($tls.getClientHello().getSourceSocketAddress());
|
||||
act.setServerAddress($tls.getServerHello().getSourceSocketAddress());
|
||||
act.setDnsQuestion($dnsQuery);
|
||||
act.setDnsAnswer($dnsReply);
|
||||
act.setAssociatedTlsActivity($tls);
|
||||
act.replaceActivity($dnsQuery); act.replaceActivity($dnsReply); act.replaceActivity($tls);
|
||||
|
||||
insert(act);
|
||||
end
|
||||
+92
@@ -0,0 +1,92 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
import org.xbill.DNS.Record;
|
||||
import java.net.InetSocketAddress;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.HashSet;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
// forward declaration
|
||||
declare DroolsBaseActivity
|
||||
end
|
||||
|
||||
/**
|
||||
* This declaration defines an SpiderOak related Activity, consisting of DNS query/reply, client/server address/port
|
||||
* and the associated TlsActivity
|
||||
*/
|
||||
declare SpiderOakActivity extends DroolsBaseActivity
|
||||
@role( event )
|
||||
@author( Stefan Swerk )
|
||||
@timestamp( getStartTimestamp() )
|
||||
|
||||
dnsAnswer : DnsActivity
|
||||
|
||||
clientAddress : InetSocketAddress
|
||||
serverAddress : InetSocketAddress
|
||||
|
||||
associatedTlsActivity : TlsActivity
|
||||
end
|
||||
|
||||
/**
|
||||
* This rule is quite similar to the Dropbox tls traffic matching rule.
|
||||
* It looks for a DNS query to "*.spideroak.com" and gathers the relevant IP addresses for probing existing, yet unmatched
|
||||
* TlsActivities.
|
||||
*/
|
||||
rule "Spideroak TLS traffic based on DnsActivity"
|
||||
when
|
||||
$dnsReply : DnsActivity(isResponse(), !answerRecords.isEmpty(),
|
||||
$question : dnsMessage.question.name,
|
||||
$question.toString() matches ".*\\.spideroak.com\\.$")
|
||||
$tls : TlsActivity(this after[0s,10s] $dnsReply)
|
||||
|
||||
exists( ARecord($address : getAddress(),
|
||||
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
|
||||
from $dnsReply.getAnswerRecords()
|
||||
or
|
||||
AAAARecord( $address : getAddress(),
|
||||
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
|
||||
from $dnsReply.getAnswerRecords()
|
||||
)
|
||||
then
|
||||
SpiderOakActivity spiderOakActivity = new SpiderOakActivity();
|
||||
spiderOakActivity.setDnsAnswer($dnsReply);
|
||||
spiderOakActivity.setClientAddress($tls.getClientHello().getSourceSocketAddress());
|
||||
spiderOakActivity.setServerAddress($tls.getServerHello().getSourceSocketAddress());
|
||||
spiderOakActivity.setAssociatedTlsActivity($tls);
|
||||
|
||||
spiderOakActivity.replaceActivity($dnsReply);
|
||||
spiderOakActivity.replaceActivity($tls);
|
||||
|
||||
insert(spiderOakActivity);
|
||||
end
|
||||
+114
@@ -0,0 +1,114 @@
|
||||
/**
|
||||
* This file is part of Rubanetra.
|
||||
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
* the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
import at.jku.fim.rubanetra.protocol.activity.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.udp.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.skype.*;
|
||||
import at.jku.fim.rubanetra.protocol.activity.DroolsBaseActivity;
|
||||
import java.util.SortedSet;
|
||||
import java.util.TreeSet;
|
||||
import org.xbill.DNS.Record;
|
||||
import java.net.InetSocketAddress
|
||||
import java.util.List;
|
||||
import java.util.Set
|
||||
import java.util.HashSet
|
||||
import org.jnetpcap.protocol.tcpip.Udp;
|
||||
|
||||
// using the MVEL expression language, see http://mvel.codehaus.org/
|
||||
dialect "mvel"
|
||||
|
||||
/**
|
||||
* A logger that may be used for logging custom messages
|
||||
*/
|
||||
global org.slf4j.Logger log;
|
||||
|
||||
// forward declaration
|
||||
declare DroolsBaseActivity end
|
||||
|
||||
/**
|
||||
* Represents a Skype payload of arbitrary type, consisting of an source/destination object id and hosts.
|
||||
*/
|
||||
declare SkypePayloadActivity extends DroolsBaseActivity
|
||||
@role( event )
|
||||
@timestamp( getStartTimestamp() )
|
||||
|
||||
sourceObjectId : int
|
||||
destinationObjectId : int
|
||||
|
||||
sourceHost : InetSocketAddress
|
||||
destinationHost : InetSocketAddress
|
||||
end
|
||||
|
||||
/**
|
||||
* This rule is based on a crude heuristic which is again partially based on: https://github.com/matthiasbock/OpenSkype.
|
||||
* Skype traffic usually consists of Udp-packets containing a certain kind of object id, therefore those special packets
|
||||
* have to be matched first.
|
||||
* This rule should be disabled/removed/improved if it causes false-positives (to reduce the negative impact, this
|
||||
* rule does not replace any Activities, but extends them instead).
|
||||
* Possible enhancements include:
|
||||
* - Use Dns-matches to obtain the skype hosts, if possible (see Dropbox/Spideroak examples)
|
||||
* - Extend the SkypePayloadActivity according to the known metadata (see https://github.com/matthiasbock/OpenSkype)
|
||||
*/
|
||||
rule "Skype Payload (one way, two matches)"
|
||||
no-loop
|
||||
when
|
||||
$udp : UdpActivity( $objectId : SkypeActivityHelper.objectId(udp), SkypeActivityHelper.hasSkypePayload(udp))
|
||||
$udpResp : UdpActivity( $objectIdResp : SkypeActivityHelper.objectId(udp),
|
||||
SkypeActivityHelper.hasSkypePayload(udp),
|
||||
sourceSocketAddress==$udp.destinationSocketAddress,
|
||||
destinationSocketAddress==$udp.sourceSocketAddress,
|
||||
this after[0s,10s] $udp)
|
||||
exists( UdpActivity($oid : SkypeActivityHelper.objectId(udp),
|
||||
($objectId + 10) > $oid,
|
||||
$oid > $objectId,
|
||||
SkypeActivityHelper.hasSkypePayload(udp),
|
||||
sourceSocketAddress==$udp.sourceSocketAddress,
|
||||
destinationSocketAddress==$udp.destinationSocketAddress,
|
||||
this after[0s,10s] $udp) )
|
||||
exists( UdpActivity($oid : SkypeActivityHelper.objectId(udp),
|
||||
($objectIdResp + 10) > $oid,
|
||||
$oid > $objectIdResp,
|
||||
SkypeActivityHelper.hasSkypePayload(udp),
|
||||
sourceSocketAddress==$udpResp.sourceSocketAddress,
|
||||
destinationSocketAddress==$udpResp.destinationSocketAddress,
|
||||
this after[0s,10s] $udpResp) )
|
||||
|
||||
not ( exists UdpActivity( SkypeActivityHelper.objectId(udp)<$objectId,
|
||||
SkypeActivityHelper.hasSkypePayload(udp),
|
||||
sourceSocketAddress==$udp.sourceSocketAddress,
|
||||
destinationSocketAddress==$udp.destinationSocketAddress,
|
||||
this after[10s] $udp))
|
||||
not ( exists UdpActivity( SkypeActivityHelper.objectId(udp)<$objectIdResp,
|
||||
SkypeActivityHelper.hasSkypePayload(udp),
|
||||
sourceSocketAddress==$udpResp.sourceSocketAddress,
|
||||
destinationSocketAddress==$udpResp.destinationSocketAddress,
|
||||
this after[10s] $udpResp))
|
||||
not ( exists SkypePayloadActivity(sourceObjectId==$objectId || sourceObjectId==$objectIdResp
|
||||
|| destinationObjectId==$objectId || destinationObjectId==$objectIdResp))
|
||||
then
|
||||
SkypePayloadActivity act = new SkypePayloadActivity();
|
||||
act.setSourceObjectId($objectId); act.setDestinationObjectId($objectIdResp);
|
||||
act.setSourceHost($udp.getSourceSocketAddress()); act.setDestinationHost($udp.getDestinationSocketAddress());
|
||||
act.extendActivity($udp); act.extendActivity($udpResp);
|
||||
insert(act);
|
||||
end
|
||||
Reference in New Issue
Block a user