/** * This file is part of Rubanetra. * Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at) * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ import at.jku.fim.rubanetra.protocol.activity.*; import at.jku.fim.rubanetra.protocol.activity.tls.*; import at.jku.fim.rubanetra.protocol.activity.http.*; import at.jku.fim.rubanetra.protocol.activity.ip.*; import at.jku.fim.rubanetra.protocol.activity.icmp.*; import at.jku.fim.rubanetra.protocol.activity.dns.*; import java.util.SortedSet; import java.util.TreeSet; import org.xbill.DNS.Record; import java.net.InetSocketAddress; import java.util.List; import java.util.Set; import java.util.HashSet; // using the MVEL expression language, see http://mvel.codehaus.org/ dialect "mvel" /** * A logger that may be used for logging custom messages */ global org.slf4j.Logger log; // forward declaration declare DroolsBaseActivity end /** * A DropboxTlsActivity contains a DNS query/reply, client/server address/port and the associated Tls-Activity */ declare DropboxTlsActivity extends DroolsBaseActivity @role( event ) @author( Stefan Swerk ) @timestamp( getStartTimestamp() ) dnsQuestion : DnsActivity dnsAnswer : DnsActivity clientAddress : InetSocketAddress serverAddress : InetSocketAddress associatedTlsActivity : TlsActivity end /** * Due to the generally encrypted dropbox traffic a DnsActivity containing the rule looks for query to "*.dropbox.com" * first and gathers the relevant Ip-Addresses for which possible TlsActivitiy-objects will be probed against. */ rule "Dropbox TLS traffic based on previous DnsActivity" when $dnsQuery : DnsActivity(!isResponse(), !questionRecords.isEmpty(), $queryId : dnsMessageHeader.ID,$question : dnsMessage.question.name, $question.toString() matches ".*\\.dropbox.com\\.$") $dnsReply : DnsActivity(isResponse(),!answerRecords.isEmpty(), dnsMessageHeader.ID == $queryId, this after[0s,10s] $dnsQuery) $tls : TlsActivity(this after[0s,10s] $dnsReply) exists ( ARecord( $address : getAddress(), $address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress()) from $dnsReply.getAnswerRecords() or AAAARecord( $address : getAddress(), $address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress()) from $dnsReply.getAnswerRecords() ) not ( exists DropboxTlsActivity($tls == associatedTlsActivity)) then DropboxTlsActivity act = new DropboxTlsActivity(); act.setClientAddress($tls.getClientHello().getSourceSocketAddress()); act.setServerAddress($tls.getServerHello().getSourceSocketAddress()); act.setDnsQuestion($dnsQuery); act.setDnsAnswer($dnsReply); act.setAssociatedTlsActivity($tls); act.replaceActivity($dnsQuery); act.replaceActivity($dnsReply); act.replaceActivity($tls); insert(act); end