Import from old repository

This commit is contained in:
Stefan
2020-04-06 18:44:45 +02:00
commit 5382fa57a4
204 changed files with 19878 additions and 0 deletions
@@ -0,0 +1,85 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.arp.*;
import at.jku.fim.rubanetra.protocol.activity.dhcp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import at.jku.fim.rubanetra.protocol.activity.ethernet.*;
import at.jku.fim.rubanetra.protocol.activity.ftp.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.msn.*;
import at.jku.fim.rubanetra.protocol.activity.netbios.*;
import at.jku.fim.rubanetra.protocol.activity.pop3.*;
import at.jku.fim.rubanetra.protocol.activity.skype.*;
import at.jku.fim.rubanetra.protocol.activity.smtp.*;
import at.jku.fim.rubanetra.protocol.activity.snmp.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import at.jku.fim.rubanetra.protocol.activity.telnet.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.udp.*;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* The following statements declare the metadata of already existing Java abstract classes/interfaces of the
* at.jku.fim.rubanetra.protocol.activity package.
* Specifically it defines these classes as events using the start-timestamp of the activity itself
* as the actual timestamp (used for reasoning) and sets the expiration time of the individual objects.
* If the objects should not expire based on this timer, remove or adapt the @expires attributes.
* Note, however, unless these attributes are overwritten on the Activity-class implementation level, these settings
* will be inherited for all activities (since all Activity-implementations should extend or implement one of the
* abstract classes/interfaces listed below.
*/
declare DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare Activity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare ReplaceableActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare AbstractActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
declare AbstractReplaceableActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
@expires( 30m )
end
@@ -0,0 +1,44 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* This global variable constitutes the default output writer that is used to write derived facts, i.e. Activity objects,
* to the final output stream.
*/
global at.jku.fim.rubanetra.output.OutputWriterStrategy outputWriter;
/**
* This rule will ensure that all encountered OutputActivityEvents will be written to the final output stream,
* as long as the enclosed Activity 'toOutput' is not null and the global 'outputWriter' exists.
* The encountered, valid OutputActivityEvent will be retracted afterwards.
* This behaviour is useful to free memory in case the default event expiration time is not defined or
* set to a high value.
*/
rule "Write to OutputStream (event-based)"
when
$outEvent : OutputActivityEvent(toOutput != null)
then
if (outputWriter != null) {
outputWriter.writeActivity($outEvent.getToOutput());
}
retract($outEvent);
end
@@ -0,0 +1,201 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import org.xbill.DNS.*;
import org.apache.http.HttpHeaders;
import org.jnetpcap.protocol.tcpip.Tcp;
import org.jnetpcap.packet.PcapPacket;
import org.apache.commons.codec.binary.Hex;
import java.net.InetSocketAddress;
import java.util.HashSet;
import java.util.Date
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* This declaration serves as an example to demonstrate the basic attribute overriding process.
* Usually this class extends the Activity-interface and is declared to be an event.
* However, currently no time-based reasoning will be performed for these objects, therefore it can be
* converted to a Fact.
* This declaration may be removed to use the default attributes again (see 00.Basic.Metadata.drl).
*/
declare HttpImageActivity
@role( fact )
@author( Stefan Swerk )
@dateOfCreation( 10.01.2014 )
end
/**
* The following Tcp declaration represents the jNetPcap-Tcp class, see org.jnetpcap.protocol.tcpip.Tcp.
* Due to 'Tcp' being a Java class of a different library it cannot extend or implement one of the Activity
* base classes and therefore is not treated as a Drools-event per se. Therefore, the metadata of this custom
* class must be defined individually, which can be interpreted as a forward declaration.
*/
declare Tcp
@role( event )
@author( Stefan Swerk )
@timestamp( getPacket().getCaptureHeader().timestampInMillis() )
@expires( 30m )
end
/**
* Currently it appears as if the Tcp-decoder of the Kraken library does not parse all valid Tcp-packets successfully.
* As a kind of workaround this rule has been defined to fallback to the jNetPcap library (hence the previous Tcp-forward
* declaration) for all IPv4 activities that indicate TCP as the encapsulated protocol,
* but that have not been decoded by the Kraken-Tcp-Decoder until now.
* This rule will ensure that an appropriate drop-in TcpActivity will be created and inserted in the event-stream,
* which may be used by other rules.
*/
rule "TCP (work around Kraken limitation)"
when
$ip : Ipv4Activity(ipv4.nextHeaderId == Tcp.ID)
not (exists TcpActivity(pcapActivity == $ip.pcapActivity))
then
Tcp tcp = new Tcp();
PcapPacket p = $ip.getPcapActivity().getPcapPacket();
p.hasHeader(tcp);
log.debug("A workaround Tcp-Activity will be created for frames {}", $ip.getCompoundFrameNumbers());
TcpActivity tcpActivity = new TcpActivity($ip.getPcapActivity(),tcp,$ip);
tcpActivity.replaceActivity($ip);
insert(tcpActivity);
end
/**
* This rules makes use of a custom entry-point called "fact-stream" and the previously declared fact-attribute of
* HttpImageActivity. If a HttpActivity is encountered containing an response that defined an "image/..." content_type
* header, it may be assumed that this reponse was used for delivering image data and the corresponding URL of the request
* contained the image path.
*/
rule "Http Image Activity"
no-loop
when
$httpActivity : HttpActivity($contentType : response.responseHeaderMap[HttpHeaders.CONTENT_TYPE] matches "image/.*",
imageActivities.isEmpty())
then
log.debug("An HttpImageActivity based on the content type was found for frames {}", $httpActivity.getCompoundFrameNumbers());
HttpImageActivity imgAct = new HttpImageActivity($httpActivity);
imgAct.setImagePath($httpActivity.getRequest().getUrl().getFile());
imgAct.setImageType($contentType);
imgAct.setStartInstant($httpActivity.getStartInstant());
imgAct.setEndInstant($httpActivity.getEndInstant());
drools.getEntryPoint("fact-stream").insert(imgAct);
modify($httpActivity){
addImageActivity(imgAct)
}
end
/**
* This rule fires iff there is a HttpImageActivity whose Requests REFERER Header field matches the Request-URI of
* another HttpActivity, i.e. it collects ImageActivities which may be related to a single HttpActivity.
* Consider the following example: A user queries a HTML-Resource that contains external image resources,
* and usually the browser creates subsequent HTTP requests for the image data retrieval.
* Whenever the Browser sets the Referer header field for those separate requests, we could correlate those separate
* image requests with a single HTML resource request.
*/
rule "Collect Http Image Activities (based on referer header)"
when
$http : HttpActivity($req : request, $reqResource : request.url.toString())
$imgAct : HttpImageActivity(this not memberOf $http.imageActivities,
source#HttpActivity.request.requestHeaderMap[HttpHeaders.REFERER] matches $reqResource)
from entry-point "fact-stream"
// add an additional time based constraint
// $htmlRequest : HttpRequestActivity( pcapActivity == $req.pcapActivity)
// $imgRequest : HttpRequestActivity( pcapActivity == $imgAct.source#HttpActivity.request.pcapActivity,
// this after[0s,10s] $htmlRequest)
//
// match a single image request for an image resource to a single request for an html resource only
// not (exists HttpRequestActivity(pcapActivity != $htmlRequest.pcapActivity,
// url.toString() matches $reqResource,
// this before $imgRequest))
then
modify($http) {
addImageActivity($imgAct)
}
end
/**
* Currently the event stream will only contain not yet matched HttpRequests and HttpResponses.
* Since the reasoning process will be enhanced by correlated each request to a response this rule tries to achieve
* a simple matching mechanism based on the TCP/IP source and destination port and address.
*/
rule "Http Request and Response Matching (based on TCP/IP source/destination and time)"
when
$tcpReq : TcpActivity( $reqId := pcapActivity, $src : sourceAddress, $dst : destinationAddress)
$request : HttpRequestActivity( $reqId := pcapActivity)
$tcpResp : TcpActivity( $respId : pcapActivity, $tcpReq.sourcePort == destinationPort,
$src == destinationAddress, $dst == sourceAddress)
$response : HttpResponseActivity(pcapActivity == $respId, this after[0s,1m] $request)
not (exists HttpActivity(request == $request || response == $response))
then
HttpActivity activity = new HttpActivity($request, $response);
log.debug("A HttpRequest was matched with a HttpResponse (frames {})", activity.getCompoundFrameNumbers());
insert(activity);
end
/**
* This rule tries to match a DNS response to a an already existing HttpActivity using the hostname header field and
* a maximum interval between the DNS response and the Http response of [0s;20s].
* An already existing DNS match of a HttpActivity will not be overwritten.
*/
rule "HttpActivity as a potential result of a preceding DNS activity"
when
$http : HttpActivity($hostHeader : request.requestHeaderMap[HttpHeaders.HOST], dnsMatch==null)
$dnsResponse : DnsActivity(isResponse(), this before[0s,20s] $http)
/**
* The first two checks are IP based, i.e: was the ip address from the DNS A/AAAA record called and does it match the HTTP server IP?
* The last check is domain based, i.e. the "Host:"-Header field from the HttpRequest is compared against the DNS name reply.
*/
exists( ARecord( $address : getAddress(), $address!.getHostAddress() == $http.request.serverAddress.getAddress().getHostAddress())
from $dnsResponse.getAnswerRecords()
or AAAARecord( $address : getAddress(), $address!.getHostAddress() == $http.request.serverAddress.getAddress().getHostAddress())
from $dnsResponse.getAnswerRecords()
or Record( $address : name, $address!.toString().startsWith($hostHeader))
from $dnsResponse.getAnswerRecords()
)
then
// At this point there was a preceding DNS response and a matching subsequent HTTP Request and Response
modify($http) {
setDnsMatch($dnsResponse);
};
end
@@ -0,0 +1,93 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress
import java.util.List;
import java.util.Set
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* This experimental rule looks for sequences of three related TCP-activities, i.e.:
* First, it tries to find a "ClientHello" Packet (according to the TLS handshake) followed by a "ServerHello".
* Finally an additional "ChangeCipher" message is expected before classifying this sequence as a TLS/SSL stream, see
* RFC 5246 (https://tools.ietf.org/html/rfc5246).
* The remaining packets will be assembled by the "TLS traffic"-rules (see below)
*/
rule "TLS Handshake"
when
$clientHello : TcpActivity( $payload : payloadHexFormattedDump(), $payload!=null,
TlsActivityHelper.isClientHello(tcp))
$serverHello : TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
destinationSocketAddress==$clientHello.sourceSocketAddress,
TlsActivityHelper.isServerHello(tcp),
this after[0s,10s] $clientHello)
$changeCipher : TcpActivity(sourceSocketAddress==$clientHello.destinationSocketAddress,
destinationSocketAddress==$clientHello.sourceSocketAddress,
TlsActivityHelper.isChangeCipherSpec(tcp),
this after[0s,10s] $serverHello)
exists TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress,
destinationSocketAddress==$clientHello.sourceSocketAddress,
TlsActivityHelper.isChangeCipherSpec(tcp),
this after[0s,10s] $changeCipher)
not (exists TlsActivity(clientHello==$clientHello || serverHello==$serverHello || changeCipherSpec==$changeCipher))
then
TlsActivity tls = new TlsActivity($clientHello,$serverHello);
tls.setChangeCipherSpec($changeCipher);
insert(tls);
end
/**
* Collects TCP activities for a given TlsActivity (client to server only) based on source/destionation ip/port
*/
rule "TLS traffic (client -> server)"
when
$tls : TlsActivity($clientHello : clientHello)
$tcp : TcpActivity( sourceSocketAddress==$clientHello.sourceSocketAddress,
destinationSocketAddress==$clientHello.destinationSocketAddress)
then
$tls.addClientToServerTcpActivity($tcp);
end
/**
* Collects TCP activities for a given TlsActivity (server to client only) based on source/destionation ip/port
*/
rule "TLS traffic (server -> client)"
when
$tls : TlsActivity($serverHello : serverHello)
$tcp : TcpActivity( sourceSocketAddress==$serverHello.sourceSocketAddress,
destinationSocketAddress==$serverHello.destinationSocketAddress)
then
$tls.addServerToClientTcpActivity($tcp);
end
@@ -0,0 +1,77 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import org.xbill.DNS.*;
import org.apache.http.HttpHeaders;
import org.jnetpcap.protocol.tcpip.Tcp;
import org.jnetpcap.packet.PcapPacket;
import org.apache.commons.codec.binary.Hex;
import java.net.InetSocketAddress;
import java.util.HashSet;
import java.util.Date
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress
import java.util.List;
import java.util.Set;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// this forward declaration is required to demonstrate the in-place definition of a custom event class,
// see HttpsActivity below
declare DroolsBaseActivity
end
/**
* This declaration demonstrates an in-place declaration of a custom event class.
* A HttpsActivity currently consists of a client/server socket address and TLS-Activity, however,
* it includes all relevant frame numbers for further analysis because it replaces the TLS-activity.
*/
declare HttpsActivity extends DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
client : InetSocketAddress
server : InetSocketAddress
tlsActivity : TlsActivity
end
rule "HTTPS" when
$tls : TlsActivity( clientHello.destinationPort == 443, !replaced)
not (exists HttpsActivity($tls == tlsActivity))
then
HttpsActivity httpsActivity = new HttpsActivity();
httpsActivity.setClient($tls.getClientHello().getSourceSocketAddress());
httpsActivity.setServer($tls.getClientHello().getDestinationSocketAddress());
httpsActivity.setTlsActivity($tls);
httpsActivity.replaceActivity($tls);
insert(httpsActivity);
end
@@ -0,0 +1,46 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import org.xbill.DNS.*;
import org.jnetpcap.protocol.network.Icmp.IcmpCode;
import org.jnetpcap.protocol.network.Icmp.IcmpType;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* Groups ICMP echo requests and echo replies to a PingActivity
*/
rule "Ping (Icmpv4)"
when
$req : Icmpv4Activity( $id : identifier, $seq : sequence, icmpType == IcmpType.ECHO_REQUEST)
$rep : Icmpv4Activity( identifier == $id, sequence == $seq, icmpType == IcmpType.ECHO_REPLY)
not (exists PingActivity(request == $req || reply == $rep))
then
insert(new PingActivity($req, $rep));
end
@@ -0,0 +1,112 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
/**
* forward declaration, used for declaring the OpenSSHActivity
*/
declare DroolsBaseActivity
end
/**
* Represents OpenSSH traffic between a client and a server.
*/
declare OpenSSHActivity extends DroolsBaseActivity
@role( event )
@timestamp( getStartTimestamp() )
handshakeQuery : TcpActivity
handshakeReply : TcpActivity
clientToServerTraffic : HashSet
serverToClientTraffic : HashSet
end
/**
* Tries to identfiy an OpenSSH handshake by relying on the presence of the 'SSH-' substring of the
* payload to identify the handshake.
*/
rule "OpenSSH Handshake"
when
$handshakeQuery : TcpActivity( payloadString!.startsWith("SSH-"),
payloadString!.contains("OpenSSH"))
$handshakeReply : TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
payloadString!.startsWith("SSH-"),
payloadString!.contains("OpenSSH"),
sourcePort==$handshakeQuery.destinationPort,
destinationPort==$handshakeQuery.sourcePort,
this after[0s,10s] $handshakeQuery)
// there should not exist another reply before the matched reply
not(exists TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
payloadString!.startsWith("SSH-"),
sourcePort==$handshakeQuery.destinationPort, destinationPort==$handshakeQuery.sourcePort,
this before $handshakeReply, this after $handshakeQuery))
then
OpenSSHActivity sshAct = new OpenSSHActivity();
sshAct.setHandshakeQuery($handshakeQuery);
sshAct.setHandshakeReply($handshakeReply);
sshAct.setClientToServerTraffic(new HashSet());
sshAct.setServerToClientTraffic(new HashSet());
sshAct.replaceActivity($handshakeQuery);
sshAct.replaceActivity($handshakeReply);
insert(sshAct);
end
/**
* Collects client to server traffic (TCP activities)
*/
rule "OpenSSH traffic (client -> server)"
when
$sshAct : OpenSSHActivity()
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
sourceSocketAddress==$sshAct.handshakeQuery.sourceSocketAddress,
destinationSocketAddress==$sshAct.handshakeQuery.destinationSocketAddress)
then
$sshAct.getClientToServerTraffic().addAll($tcp.getCompoundFrameNumbers());
$sshAct.replaceActivity($tcp);
end
/**
* Collects server to client traffic (TCP activities)
*/
rule "OpenSSH traffic (server -> client)"
when
$sshAct : OpenSSHActivity()
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
sourceSocketAddress==$sshAct.handshakeReply.sourceSocketAddress,
destinationSocketAddress==$sshAct.handshakeReply.destinationSocketAddress)
then
$sshAct.getServerToClientTraffic().addAll($tcp.getCompoundFrameNumbers());
$sshAct.replaceActivity($tcp);
end
@@ -0,0 +1,93 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// forward declaration
declare DroolsBaseActivity
end
/**
* A DropboxTlsActivity contains a DNS query/reply, client/server address/port and the associated Tls-Activity
*/
declare DropboxTlsActivity extends DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
dnsQuestion : DnsActivity
dnsAnswer : DnsActivity
clientAddress : InetSocketAddress
serverAddress : InetSocketAddress
associatedTlsActivity : TlsActivity
end
/**
* Due to the generally encrypted dropbox traffic a DnsActivity containing the rule looks for query to "*.dropbox.com"
* first and gathers the relevant Ip-Addresses for which possible TlsActivitiy-objects will be probed against.
*/
rule "Dropbox TLS traffic based on previous DnsActivity"
when
$dnsQuery : DnsActivity(!isResponse(), !questionRecords.isEmpty(),
$queryId : dnsMessageHeader.ID,$question : dnsMessage.question.name,
$question.toString() matches ".*\\.dropbox.com\\.$")
$dnsReply : DnsActivity(isResponse(),!answerRecords.isEmpty(),
dnsMessageHeader.ID == $queryId,
this after[0s,10s] $dnsQuery)
$tls : TlsActivity(this after[0s,10s] $dnsReply)
exists ( ARecord( $address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
or AAAARecord( $address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
)
not ( exists DropboxTlsActivity($tls == associatedTlsActivity))
then
DropboxTlsActivity act = new DropboxTlsActivity();
act.setClientAddress($tls.getClientHello().getSourceSocketAddress());
act.setServerAddress($tls.getServerHello().getSourceSocketAddress());
act.setDnsQuestion($dnsQuery);
act.setDnsAnswer($dnsReply);
act.setAssociatedTlsActivity($tls);
act.replaceActivity($dnsQuery); act.replaceActivity($dnsReply); act.replaceActivity($tls);
insert(act);
end
@@ -0,0 +1,92 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
import java.util.HashSet;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// forward declaration
declare DroolsBaseActivity
end
/**
* This declaration defines an SpiderOak related Activity, consisting of DNS query/reply, client/server address/port
* and the associated TlsActivity
*/
declare SpiderOakActivity extends DroolsBaseActivity
@role( event )
@author( Stefan Swerk )
@timestamp( getStartTimestamp() )
dnsAnswer : DnsActivity
clientAddress : InetSocketAddress
serverAddress : InetSocketAddress
associatedTlsActivity : TlsActivity
end
/**
* This rule is quite similar to the Dropbox tls traffic matching rule.
* It looks for a DNS query to "*.spideroak.com" and gathers the relevant IP addresses for probing existing, yet unmatched
* TlsActivities.
*/
rule "Spideroak TLS traffic based on DnsActivity"
when
$dnsReply : DnsActivity(isResponse(), !answerRecords.isEmpty(),
$question : dnsMessage.question.name,
$question.toString() matches ".*\\.spideroak.com\\.$")
$tls : TlsActivity(this after[0s,10s] $dnsReply)
exists( ARecord($address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
or
AAAARecord( $address : getAddress(),
$address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
from $dnsReply.getAnswerRecords()
)
then
SpiderOakActivity spiderOakActivity = new SpiderOakActivity();
spiderOakActivity.setDnsAnswer($dnsReply);
spiderOakActivity.setClientAddress($tls.getClientHello().getSourceSocketAddress());
spiderOakActivity.setServerAddress($tls.getServerHello().getSourceSocketAddress());
spiderOakActivity.setAssociatedTlsActivity($tls);
spiderOakActivity.replaceActivity($dnsReply);
spiderOakActivity.replaceActivity($tls);
insert(spiderOakActivity);
end
@@ -0,0 +1,114 @@
/**
* This file is part of Rubanetra.
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
import at.jku.fim.rubanetra.protocol.activity.udp.*;
import at.jku.fim.rubanetra.protocol.activity.skype.*;
import at.jku.fim.rubanetra.protocol.activity.DroolsBaseActivity;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress
import java.util.List;
import java.util.Set
import java.util.HashSet
import org.jnetpcap.protocol.tcpip.Udp;
// using the MVEL expression language, see http://mvel.codehaus.org/
dialect "mvel"
/**
* A logger that may be used for logging custom messages
*/
global org.slf4j.Logger log;
// forward declaration
declare DroolsBaseActivity end
/**
* Represents a Skype payload of arbitrary type, consisting of an source/destination object id and hosts.
*/
declare SkypePayloadActivity extends DroolsBaseActivity
@role( event )
@timestamp( getStartTimestamp() )
sourceObjectId : int
destinationObjectId : int
sourceHost : InetSocketAddress
destinationHost : InetSocketAddress
end
/**
* This rule is based on a crude heuristic which is again partially based on: https://github.com/matthiasbock/OpenSkype.
* Skype traffic usually consists of Udp-packets containing a certain kind of object id, therefore those special packets
* have to be matched first.
* This rule should be disabled/removed/improved if it causes false-positives (to reduce the negative impact, this
* rule does not replace any Activities, but extends them instead).
* Possible enhancements include:
* - Use Dns-matches to obtain the skype hosts, if possible (see Dropbox/Spideroak examples)
* - Extend the SkypePayloadActivity according to the known metadata (see https://github.com/matthiasbock/OpenSkype)
*/
rule "Skype Payload (one way, two matches)"
no-loop
when
$udp : UdpActivity( $objectId : SkypeActivityHelper.objectId(udp), SkypeActivityHelper.hasSkypePayload(udp))
$udpResp : UdpActivity( $objectIdResp : SkypeActivityHelper.objectId(udp),
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udp.destinationSocketAddress,
destinationSocketAddress==$udp.sourceSocketAddress,
this after[0s,10s] $udp)
exists( UdpActivity($oid : SkypeActivityHelper.objectId(udp),
($objectId + 10) > $oid,
$oid > $objectId,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udp.sourceSocketAddress,
destinationSocketAddress==$udp.destinationSocketAddress,
this after[0s,10s] $udp) )
exists( UdpActivity($oid : SkypeActivityHelper.objectId(udp),
($objectIdResp + 10) > $oid,
$oid > $objectIdResp,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udpResp.sourceSocketAddress,
destinationSocketAddress==$udpResp.destinationSocketAddress,
this after[0s,10s] $udpResp) )
not ( exists UdpActivity( SkypeActivityHelper.objectId(udp)<$objectId,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udp.sourceSocketAddress,
destinationSocketAddress==$udp.destinationSocketAddress,
this after[10s] $udp))
not ( exists UdpActivity( SkypeActivityHelper.objectId(udp)<$objectIdResp,
SkypeActivityHelper.hasSkypePayload(udp),
sourceSocketAddress==$udpResp.sourceSocketAddress,
destinationSocketAddress==$udpResp.destinationSocketAddress,
this after[10s] $udpResp))
not ( exists SkypePayloadActivity(sourceObjectId==$objectId || sourceObjectId==$objectIdResp
|| destinationObjectId==$objectId || destinationObjectId==$objectIdResp))
then
SkypePayloadActivity act = new SkypePayloadActivity();
act.setSourceObjectId($objectId); act.setDestinationObjectId($objectIdResp);
act.setSourceHost($udp.getSourceSocketAddress()); act.setDestinationHost($udp.getDestinationSocketAddress());
act.extendActivity($udp); act.extendActivity($udpResp);
insert(act);
end