113 lines
4.3 KiB
Plaintext
113 lines
4.3 KiB
Plaintext
/**
|
|
* This file is part of Rubanetra.
|
|
* Copyright (C) 2013,2014 Stefan Swerk (stefan_rubanetra@swerk.priv.at)
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
import at.jku.fim.rubanetra.protocol.activity.*;
|
|
import at.jku.fim.rubanetra.protocol.activity.tls.*;
|
|
import at.jku.fim.rubanetra.protocol.activity.http.*;
|
|
import at.jku.fim.rubanetra.protocol.activity.ip.*;
|
|
import at.jku.fim.rubanetra.protocol.activity.icmp.*;
|
|
import at.jku.fim.rubanetra.protocol.activity.dns.*;
|
|
import at.jku.fim.rubanetra.protocol.activity.tcp.*;
|
|
import java.util.HashSet;
|
|
|
|
// using the MVEL expression language, see http://mvel.codehaus.org/
|
|
dialect "mvel"
|
|
|
|
/**
|
|
* A logger that may be used for logging custom messages
|
|
*/
|
|
global org.slf4j.Logger log;
|
|
|
|
/**
|
|
* forward declaration, used for declaring the OpenSSHActivity
|
|
*/
|
|
declare DroolsBaseActivity
|
|
end
|
|
|
|
/**
|
|
* Represents OpenSSH traffic between a client and a server.
|
|
*/
|
|
declare OpenSSHActivity extends DroolsBaseActivity
|
|
@role( event )
|
|
@timestamp( getStartTimestamp() )
|
|
|
|
handshakeQuery : TcpActivity
|
|
handshakeReply : TcpActivity
|
|
|
|
clientToServerTraffic : HashSet
|
|
serverToClientTraffic : HashSet
|
|
end
|
|
|
|
/**
|
|
* Tries to identfiy an OpenSSH handshake by relying on the presence of the 'SSH-' substring of the
|
|
* payload to identify the handshake.
|
|
*/
|
|
rule "OpenSSH Handshake"
|
|
when
|
|
$handshakeQuery : TcpActivity( payloadString!.startsWith("SSH-"),
|
|
payloadString!.contains("OpenSSH"))
|
|
$handshakeReply : TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
|
|
payloadString!.startsWith("SSH-"),
|
|
payloadString!.contains("OpenSSH"),
|
|
sourcePort==$handshakeQuery.destinationPort,
|
|
destinationPort==$handshakeQuery.sourcePort,
|
|
this after[0s,10s] $handshakeQuery)
|
|
|
|
// there should not exist another reply before the matched reply
|
|
not(exists TcpActivity( pcapActivity != $handshakeQuery.getPcapActivity(),
|
|
payloadString!.startsWith("SSH-"),
|
|
sourcePort==$handshakeQuery.destinationPort, destinationPort==$handshakeQuery.sourcePort,
|
|
this before $handshakeReply, this after $handshakeQuery))
|
|
then
|
|
OpenSSHActivity sshAct = new OpenSSHActivity();
|
|
sshAct.setHandshakeQuery($handshakeQuery);
|
|
sshAct.setHandshakeReply($handshakeReply);
|
|
sshAct.setClientToServerTraffic(new HashSet());
|
|
sshAct.setServerToClientTraffic(new HashSet());
|
|
sshAct.replaceActivity($handshakeQuery);
|
|
sshAct.replaceActivity($handshakeReply);
|
|
insert(sshAct);
|
|
end
|
|
|
|
/**
|
|
* Collects client to server traffic (TCP activities)
|
|
*/
|
|
rule "OpenSSH traffic (client -> server)"
|
|
when
|
|
$sshAct : OpenSSHActivity()
|
|
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
|
|
sourceSocketAddress==$sshAct.handshakeQuery.sourceSocketAddress,
|
|
destinationSocketAddress==$sshAct.handshakeQuery.destinationSocketAddress)
|
|
then
|
|
$sshAct.getClientToServerTraffic().addAll($tcp.getCompoundFrameNumbers());
|
|
$sshAct.replaceActivity($tcp);
|
|
end
|
|
|
|
/**
|
|
* Collects server to client traffic (TCP activities)
|
|
*/
|
|
rule "OpenSSH traffic (server -> client)"
|
|
when
|
|
$sshAct : OpenSSHActivity()
|
|
$tcp : TcpActivity( pcapActivity.frameNumber not memberOf $sshAct.compoundFrameNumbers,
|
|
sourceSocketAddress==$sshAct.handshakeReply.sourceSocketAddress,
|
|
destinationSocketAddress==$sshAct.handshakeReply.destinationSocketAddress)
|
|
then
|
|
$sshAct.getServerToClientTraffic().addAll($tcp.getCompoundFrameNumbers());
|
|
$sshAct.replaceActivity($tcp);
|
|
end
|