/**
 * This file is part of Rubanetra.
 * Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
import at.jku.fim.rubanetra.protocol.activity.*;
import at.jku.fim.rubanetra.protocol.activity.tls.*;
import at.jku.fim.rubanetra.protocol.activity.http.*;
import at.jku.fim.rubanetra.protocol.activity.ip.*;
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
import at.jku.fim.rubanetra.protocol.activity.dns.*;
import java.util.SortedSet;
import java.util.TreeSet;
import org.xbill.DNS.Record;
import java.net.InetSocketAddress;
import java.util.List;
import java.util.Set;
import java.util.HashSet;

// using the MVEL expression language, see http://mvel.codehaus.org/
dialect  "mvel"

/**
 * A logger that may be used for logging custom messages
 */
global org.slf4j.Logger log;

// forward declaration
declare DroolsBaseActivity
end

/**
 * This declaration defines an SpiderOak related Activity, consisting of DNS query/reply, client/server address/port
 * and the associated TlsActivity
 */
declare SpiderOakActivity extends DroolsBaseActivity
    @role( event )
    @author( Stefan Swerk )
    @timestamp( getStartTimestamp() )

    dnsAnswer : DnsActivity

    clientAddress : InetSocketAddress
    serverAddress : InetSocketAddress

    associatedTlsActivity : TlsActivity
end

/**
 * This rule is quite similar to the Dropbox tls traffic matching rule.
 * It looks for a DNS query to "*.spideroak.com" and gathers the relevant IP addresses for probing existing, yet unmatched
 * TlsActivities.
 */
rule "Spideroak TLS traffic based on DnsActivity"
when
    $dnsReply : DnsActivity(isResponse(), !answerRecords.isEmpty(),
                            $question : dnsMessage.question.name,
                            $question.toString() matches ".*\\.spideroak.com\\.$")
    $tls : TlsActivity(this after[0s,10s] $dnsReply)

    exists( ARecord($address : getAddress(),
                    $address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
            from $dnsReply.getAnswerRecords()
    		or
    		AAAARecord( $address : getAddress(),
    		            $address!.getHostAddress() == $tls.getServerHello().getSourceAddress().getHostAddress())
    	    from $dnsReply.getAnswerRecords()
        )
then
    SpiderOakActivity spiderOakActivity = new SpiderOakActivity();
    spiderOakActivity.setDnsAnswer($dnsReply);
    spiderOakActivity.setClientAddress($tls.getClientHello().getSourceSocketAddress());
    spiderOakActivity.setServerAddress($tls.getServerHello().getSourceSocketAddress());
    spiderOakActivity.setAssociatedTlsActivity($tls);

    spiderOakActivity.replaceActivity($dnsReply);
    spiderOakActivity.replaceActivity($tls);

    insert(spiderOakActivity);
end