/** * This file is part of Rubanetra. * Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at) * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ import at.jku.fim.rubanetra.protocol.activity.*; import at.jku.fim.rubanetra.protocol.activity.tls.*; import at.jku.fim.rubanetra.protocol.activity.http.*; import at.jku.fim.rubanetra.protocol.activity.ip.*; import at.jku.fim.rubanetra.protocol.activity.icmp.*; import at.jku.fim.rubanetra.protocol.activity.tcp.*; import java.util.SortedSet; import java.util.TreeSet; import org.xbill.DNS.Record; import java.net.InetSocketAddress import java.util.List; import java.util.Set import java.util.HashSet; // using the MVEL expression language, see http://mvel.codehaus.org/ dialect "mvel" /** * A logger that may be used for logging custom messages */ global org.slf4j.Logger log; /** * This experimental rule looks for sequences of three related TCP-activities, i.e.: * First, it tries to find a "ClientHello" Packet (according to the TLS handshake) followed by a "ServerHello". * Finally an additional "ChangeCipher" message is expected before classifying this sequence as a TLS/SSL stream, see * RFC 5246 (https://tools.ietf.org/html/rfc5246). * The remaining packets will be assembled by the "TLS traffic"-rules (see below) */ rule "TLS Handshake" when $clientHello : TcpActivity( $payload : payloadHexFormattedDump(), $payload!=null, TlsActivityHelper.isClientHello(tcp)) $serverHello : TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress, destinationSocketAddress==$clientHello.sourceSocketAddress, TlsActivityHelper.isServerHello(tcp), this after[0s,10s] $clientHello) $changeCipher : TcpActivity(sourceSocketAddress==$clientHello.destinationSocketAddress, destinationSocketAddress==$clientHello.sourceSocketAddress, TlsActivityHelper.isChangeCipherSpec(tcp), this after[0s,10s] $serverHello) exists TcpActivity( sourceSocketAddress==$clientHello.destinationSocketAddress, destinationSocketAddress==$clientHello.sourceSocketAddress, TlsActivityHelper.isChangeCipherSpec(tcp), this after[0s,10s] $changeCipher) not (exists TlsActivity(clientHello==$clientHello || serverHello==$serverHello || changeCipherSpec==$changeCipher)) then TlsActivity tls = new TlsActivity($clientHello,$serverHello); tls.setChangeCipherSpec($changeCipher); insert(tls); end /** * Collects TCP activities for a given TlsActivity (client to server only) based on source/destionation ip/port */ rule "TLS traffic (client -> server)" when $tls : TlsActivity($clientHello : clientHello) $tcp : TcpActivity( sourceSocketAddress==$clientHello.sourceSocketAddress, destinationSocketAddress==$clientHello.destinationSocketAddress) then $tls.addClientToServerTcpActivity($tcp); end /** * Collects TCP activities for a given TlsActivity (server to client only) based on source/destionation ip/port */ rule "TLS traffic (server -> client)" when $tls : TlsActivity($serverHello : serverHello) $tcp : TcpActivity( sourceSocketAddress==$serverHello.sourceSocketAddress, destinationSocketAddress==$serverHello.destinationSocketAddress) then $tls.addServerToClientTcpActivity($tcp); end