/** * This file is part of Rubanetra. * Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at) * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ import at.jku.fim.rubanetra.protocol.activity.*; import at.jku.fim.rubanetra.protocol.activity.tls.*; import at.jku.fim.rubanetra.protocol.activity.http.*; import at.jku.fim.rubanetra.protocol.activity.ip.*; import at.jku.fim.rubanetra.protocol.activity.icmp.*; import at.jku.fim.rubanetra.protocol.activity.dns.*; import at.jku.fim.rubanetra.protocol.activity.tcp.*; import java.util.HashSet; // using the MVEL expression language, see http://mvel.codehaus.org/ dialect "mvel" /** * A logger that may be used for logging custom messages */ global org.slf4j.Logger log; /** * forward declaration, used for declaring the OpenSSHActivity */ declare DroolsBaseActivity end /** * Represents OpenSSH traffic between a client and a server. */ declare OpenSSHActivity extends DroolsBaseActivity @role( event ) @timestamp( getStartTimestamp() ) handshakeQuery : TcpActivity handshakeReply : TcpActivity clientToServerTraffic : HashSet serverToClientTraffic : HashSet end /** * Tries to identfiy an OpenSSH handshake by relying on the presence of the 'SSH-' substring of the * payload to identify the handshake. */ rule "OpenSSH Handshake" when $handshakeQuery : TcpActivity( payloadString!.startsWith("SSH-"), payloadString!.contains("OpenSSH")) $handshakeReply : TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(), payloadString!.startsWith("SSH-"), payloadString!.contains("OpenSSH"), sourcePort==$handshakeQuery.destinationPort, destinationPort==$handshakeQuery.sourcePort, this after[0s,10s] $handshakeQuery) // there should not exist another reply before the matched reply not(exists TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(), payloadString!.startsWith("SSH-"), sourcePort==$handshakeQuery.destinationPort, destinationPort==$handshakeQuery.sourcePort, this before $handshakeReply, this after $handshakeQuery)) then OpenSSHActivity sshAct = new OpenSSHActivity(); sshAct.setHandshakeQuery($handshakeQuery); sshAct.setHandshakeReply($handshakeReply); sshAct.setClientToServerTraffic(new HashSet()); sshAct.setServerToClientTraffic(new HashSet()); sshAct.replaceActivity($handshakeQuery); sshAct.replaceActivity($handshakeReply); insert(sshAct); end /** * Collects client to server traffic (TCP activities) */ rule "OpenSSH traffic (client -> server)" when $sshAct : OpenSSHActivity() $tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers, sourceSocketAddress==$sshAct.handshakeQuery.sourceSocketAddress, destinationSocketAddress==$sshAct.handshakeQuery.destinationSocketAddress) then $sshAct.getClientToServerTraffic().addAll($tcp.getCompoundFrameNumbers()); $sshAct.replaceActivity($tcp); end /** * Collects server to client traffic (TCP activities) */ rule "OpenSSH traffic (server -> client)" when $sshAct : OpenSSHActivity() $tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers, sourceSocketAddress==$sshAct.handshakeReply.sourceSocketAddress, destinationSocketAddress==$sshAct.handshakeReply.destinationSocketAddress) then $sshAct.getServerToClientTraffic().addAll($tcp.getCompoundFrameNumbers()); $sshAct.replaceActivity($tcp); end