diff --git a/config/tables.go b/config/tables.go index 900a1f79..d36a9a54 100644 --- a/config/tables.go +++ b/config/tables.go @@ -23,6 +23,8 @@ type ( ConnTable string `default:"conn"` HTTPTable string `default:"http"` DNSTable string `default:"dns"` + SSLTable string `default:"ssl"` + X509Table string `default:"x509"` UniqueConnTable string `default:"uconn"` HostTable string `default:"host"` IPv4Table string `default:"ipv4"` diff --git a/parser/fsimporter.go b/parser/fsimporter.go index a2465a18..718b2d37 100644 --- a/parser/fsimporter.go +++ b/parser/fsimporter.go @@ -461,7 +461,31 @@ func (fs *FSImporter) parseFiles(indexedFiles []*fpt.IndexedFile, parsingThreads mutex.Unlock() - // stores the http record in the dns collection + // stores the http record in the http collection + // datastore.Store(&ImportedData{ + // BroData: data, + // TargetDatabase: fs.res.DB.GetSelectedDB(), + // TargetCollection: targetCollection, + // }) + + /// *************************************************************/// + /// SSL /// + /// *************************************************************/// + } else if targetCollection == fs.res.Config.T.Structure.SSLTable { + + // parseSSL := reflect.ValueOf(data).Elem() + + // stores the ssl record in the ssl collection + // datastore.Store(&ImportedData{ + // BroData: data, + // TargetDatabase: fs.res.DB.GetSelectedDB(), + // TargetCollection: targetCollection, + // }) + + /// *************************************************************/// + /// x509 /// + /// *************************************************************/// + } else if targetCollection == fs.res.Config.T.Structure.X509Table { // datastore.Store(&ImportedData{ // BroData: data, // TargetDatabase: fs.res.DB.GetSelectedDB(), diff --git a/parser/parsetypes/parsetypes.go b/parser/parsetypes/parsetypes.go index fb4ec2c9..7a710ccd 100644 --- a/parser/parsetypes/parsetypes.go +++ b/parser/parsetypes/parsetypes.go @@ -30,6 +30,14 @@ func NewBroDataFactory(fileType string) func() BroData { return func() BroData { return &HTTP{} } + case "ssl": + return func() BroData { + return &SSL{} + } + case "x509": + return func() BroData { + return &x509{} + } case "freq": return func() BroData { return &Freq{} diff --git a/parser/parsetypes/ssl.go b/parser/parsetypes/ssl.go new file mode 100644 index 00000000..65fa05a9 --- /dev/null +++ b/parser/parsetypes/ssl.go @@ -0,0 +1,100 @@ +package parsetypes + +import ( + "github.com/activecm/rita/config" +) + +type ( + // SSL provides a data structure for bro's connection data + SSL struct { + // TimeStamp of this connection + TimeStamp int64 `bson:"ts" bro:"ts" brotype:"time"` + // UID is the Unique Id for this connection (generated by Bro) + UID string `bson:"uid" bro:"uid" brotype:"string"` + // Source is the source address for this connection + Source string `bson:"id_orig_h" bro:"id.orig_h" brotype:"addr"` + // SourcePort is the source port of this connection + SourcePort int `bson:"id_orig_p" bro:"id.orig_p" brotype:"port"` + // Destination is the destination of the connection + Destination string `bson:"id_resp_h" bro:"id.resp_h" brotype:"addr"` + // DestinationPort is the port at the destination host + DestinationPort int `bson:"id_resp_p" bro:"id.resp_p" brotype:"port"` + // VersionNum : Numeric SSL/TLS version that the server chose + VersionNum int `bson:"version_num" bro:"version_num" brotype:"count"` + // Version : SSL/TLS version that the server chose + Version string `bson:"version" bro:"version" brotype:"string"` + // Cipher : SSL/TLS cipher suite that the server chose + Cipher string `bson:"cipher" bro:"cipher" brotype:"string"` + // Curve : Elliptic curve the server chose when using ECDH/ECDHE + Curve string `bson:"curve" bro:"curve" brotype:"string"` + // ServerName : Value of the Server Name Indicator SSL/TLS extension. + // It indicates the server name that the client was requesting. + ServerName string `bson:"server_name" bro:"server_name" brotype:"string"` + // SessionID : Session ID offered by the client for session resumption. + // Not used for logging. + SessionID string `bson:"session_id" bro:"session_id" brotype:"string"` + // Resumed : Flag to indicate if the session was resumed reusing the key + // material exchanged in an earlier connection + Resumed bool `bson:"resumed" bro:"resumed" brotype:"bool"` + // ClientTicketEmptySessionSeen : Flag to indicate if we saw a non-empty + // session ticket being sent by the client using an empty session ID. + // This value is used to determine if a session is being resumed. + // It’s not logged. Note: may not be present in older bro versions. + ClientTicketEmptySessionSeen bool `bson:"client_ticket_empty_session_seen" bro:"client_ticket_empty_session_seen" brotype:"bool"` + // ClientKeyExchangeSeen :Flag to indicate if we saw a client key exchange + // message sent by the client. This value is used to determine if a session + // is being resumed. It’s not logged. + // Note: may not be present in older bro versions. + ClientKeyExchangeSeen bool `bson:"client_key_exchange_seen" bro:"client_key_exchange_seen" brotype:"bool"` + // ServerAppData : Count to track if the server already sent an application + // data packet for TLS 1.3. Used to track when a session was established + // Note: may not be present in older bro versions. + ServerAppData int `bson:"server_appdata" bro:"server_appdata" brotype:"count"` + // ClientAppData : Flag to track if the client already sent an application + // data packet for TLS 1.3. Used to track when a session was established + // Note: may not be present in older bro versions. + ClientAppData bool `bson:"client_appdata" bro:"client_appdata" brotype:"bool"` + // LastAlert : Last alert that was seen during the connection. + LastAlert string `bson:"last_alert" bro:"last_alert" brotype:"string"` + // NextProtocol : Next protocol the server chose using the application layer + // next protocol extension, if present. + NextProtocol string `bson:"next_protocol" bro:"next_protocol" brotype:"string"` + // AnalyzerID : The analyzer ID used for the analyzer instance attached to + // each connection. It is not used for logging since it’s a meaningless + // arbitrary number. Note: may not be present in older bro versions. + AnalyzerID int `bson:"analyzer_id" bro:"analyzer_id" brotype:"count"` + // Established : Flag to indicate if this ssl session has been established + // successfully, or if it was aborted during the handshake + Established bool `bson:"established" bro:"established" brotype:"bool"` + // Logged : Flag to indicate if this record already has been logged, to + // prevent duplicates. Note: may not be present in older bro versions. + Logged bool `bson:"logged" bro:"logged" brotype:"bool"` + // CertChainFuids + CertChainFuids []string `bson:"cert_chain" bro:"cert_chain" brotype:"vector[string]"` + // ClientCertChainFuids + ClientCertChainFuids []string `bson:"client_cert_chain_fuids" bro:"client_cert_chain_fuids" brotype:"vector[string]"` + // Subject + Subject string `bson:"subject" bro:"subject" brotype:"string"` + // Issuer + Issuer string `bson:"issuer" bro:"issuer" brotype:"string"` + // ClientSubject + ClientSubject string `bson:"client_subject" bro:"client_subject" brotype:"string"` + // ClientIssuer + ClientIssuer string `bson:"client_issuer" bro:"client_issuer" brotype:"string"` + // ValidationStatus + ValidationStatus string `bson:"validation_status" bro:"validation_status" brotype:"string"` + // ValidationCode : Numeric SSL/TLS version that the server chose + ValidationCode int `bson:"validation_code" bro:"validation_code" brotype:"int"` + } +) + +//TargetCollection returns the mongo collection this entry should be inserted +//into +func (in *SSL) TargetCollection(config *config.StructureTableCfg) string { + return config.SSLTable +} + +//Indices gives MongoDB indices that should be used with the collection +func (in *SSL) Indices() []string { + return []string{"$hashed:id_orig_h", "$hashed:id_resp_h"} +} diff --git a/parser/parsetypes/x509.go b/parser/parsetypes/x509.go new file mode 100644 index 00000000..3b9d176d --- /dev/null +++ b/parser/parsetypes/x509.go @@ -0,0 +1,63 @@ +package parsetypes + +import ( + "github.com/activecm/rita/config" +) + +type ( + // x509 provides a data structure for bro's connection data + x509 struct { + // TimeStamp of this connection + TimeStamp int64 `bson:"ts" bro:"ts" brotype:"time"` + // FileID is the file id of this certificate. + FileID string `bson:"file_id" bro:"id" brotype:"string"` + // CertificateVersion : version number + CertificateVersion int `bson:"cert_version" bro:"certificate.version" brotype:"count"` + // CertificateSerial : serial number + CertificateSerial string `bson:"cert_serial" bro:"certificate.serial" brotype:"string"` + // CertificateSubject : subject + CertificateSubject string `bson:"cert_subject" bro:"certificate.subject" brotype:"string"` + // CertificateIssuer : issuer + CertificateIssuer string `bson:"cert_issuer" bro:"certificate.issuer" brotype:"string"` + // CommonName : last (most specific) common name + CommonName string `bson:"common_name" bro:"cn" brotype:"string"` + // CertNotValidBefore : Timestamp before when certificate is not valid. + CertNotValidBefore int64 `bson:"cert_not_valid_before" bro:"certificate.not_valid_before" brotype:"time"` + // CertNotValidAfter : Timestamp after when certificate is not valid + CertNotValidAfter int64 `bson:"cert_not_valid_after" bro:"certificate.not_valid_after" brotype:"time"` + // CertificateKeyAlg : Name of the key algorithm + CertificateKeyAlg string `bson:"cert_key_alg" bro:"certificate.key_alg" brotype:"string"` + // CertificateSigAlg : Name of the signature algorithm + CertificateSigAlg string `bson:"cert_sig_alg" bro:"certificate.sig_alg" brotype:"string"` + // CertificateKeyType : Key type, if key parseable by openssl (either rsa, dsa or ec) + CertificateKeyType string `bson:"cert_key_type" bro:"certificate.key_type" brotype:"string"` + // CertificateKeyLength : Key length in bits + CertificateKeyLength int `bson:"cert_key_length" bro:"certificate.key_length" brotype:"count"` + // CertificateExponent : Exponent, if RSA-certificate + CertificateExponent string `bson:"cert_exponent" bro:"certificate.exponent" brotype:"string"` + // CertificateCurve : Curve, if EC-certificate + CertificateCurve string `bson:"cert_curve" bro:"certificate.curve" brotype:"string"` + // SanDNS : List of DNS entries in SAN (subject alternative name) + SanDNS []string `bson:"san_dns" bro:"san.dns" brotype:"vector[string]"` + // SanURI : List of URI entries in SAN (subject alternative name) + SanURI []string `bson:"san_uri" bro:"san.uri" brotype:"vector[string]"` + // SanEmail : List of email entries in SAN (subject alternative name) + SanEmail []string `bson:"san_email" bro:"san.email" brotype:"vector[string]"` + // SanIP : List of IP entries in SAN (subject alternative name) + SanIP []string `bson:"san_ip" bro:"san.ip" brotype:"vector[addr]"` + // BasicConstraintsCA : CA flag set? + BasicConstraintsCA bool `bson:"basic_constraints_ca" bro:"basic_constraints.ca" brotype:"bool"` + // BasicConstraintsPathLen: Maximum path length + BasicConstraintsPathLen bool `bson:"basic_constraints_path_len" bro:"basic_constraints.path_len" brotype:"count"` + } +) + +//TargetCollection returns the mongo collection this entry should be inserted into +func (in *x509) TargetCollection(config *config.StructureTableCfg) string { + return config.X509Table +} + +//Indices gives MongoDB indices that should be used with the collection +func (in *x509) Indices() []string { + return []string{"$hashed:file_id"} +}