added ssl and x509 log parsing

config/tables.go

@@ -23,6 +23,8 @@ type (
 		ConnTable         string `default:"conn"`
 		HTTPTable         string `default:"http"`
 		DNSTable          string `default:"dns"`
+		SSLTable          string `default:"ssl"`
+		X509Table         string `default:"x509"`
 		UniqueConnTable   string `default:"uconn"`
 		HostTable         string `default:"host"`
 		IPv4Table         string `default:"ipv4"`

parser/fsimporter.go

@@ -461,7 +461,31 @@ func (fs *FSImporter) parseFiles(indexedFiles []*fpt.IndexedFile, parsingThreads
 
 							mutex.Unlock()
 
-							// stores the http record in the dns collection
+							// stores the http record in the http collection
+							// datastore.Store(&ImportedData{
+							// 	BroData:          data,
+							// 	TargetDatabase:   fs.res.DB.GetSelectedDB(),
+							// 	TargetCollection: targetCollection,
+							// })
+
+							/// *************************************************************///
+							///                             SSL                             ///
+							/// *************************************************************///
+						} else if targetCollection == fs.res.Config.T.Structure.SSLTable {
+
+							// parseSSL := reflect.ValueOf(data).Elem()
+
+							// stores the ssl record in the ssl collection
+							// datastore.Store(&ImportedData{
+							// 	BroData:          data,
+							// 	TargetDatabase:   fs.res.DB.GetSelectedDB(),
+							// 	TargetCollection: targetCollection,
+							// })
+
+							/// *************************************************************///
+							///                             x509                             ///
+							/// *************************************************************///
+						} else if targetCollection == fs.res.Config.T.Structure.X509Table {
 							// datastore.Store(&ImportedData{
 							// 	BroData:          data,
 							// 	TargetDatabase:   fs.res.DB.GetSelectedDB(),

parser/parsetypes/parsetypes.go

@@ -30,6 +30,14 @@ func NewBroDataFactory(fileType string) func() BroData {
 		return func() BroData {
 			return &HTTP{}
 		}
+	case "ssl":
+		return func() BroData {
+			return &SSL{}
+		}
+	case "x509":
+		return func() BroData {
+			return &x509{}
+		}
 	case "freq":
 		return func() BroData {
 			return &Freq{}

parser/parsetypes/ssl.go

@@ -0,0 +1,100 @@
+package parsetypes
+
+import (
+	"github.com/activecm/rita/config"
+)
+
+type (
+	// SSL provides a data structure for bro's connection data
+	SSL struct {
+		// TimeStamp of this connection
+		TimeStamp int64 `bson:"ts" bro:"ts" brotype:"time"`
+		// UID is the Unique Id for this connection (generated by Bro)
+		UID string `bson:"uid" bro:"uid" brotype:"string"`
+		// Source is the source address for this connection
+		Source string `bson:"id_orig_h" bro:"id.orig_h" brotype:"addr"`
+		// SourcePort is the source port of this connection
+		SourcePort int `bson:"id_orig_p" bro:"id.orig_p" brotype:"port"`
+		// Destination is the destination of the connection
+		Destination string `bson:"id_resp_h" bro:"id.resp_h" brotype:"addr"`
+		// DestinationPort is the port at the destination host
+		DestinationPort int `bson:"id_resp_p" bro:"id.resp_p" brotype:"port"`
+		// VersionNum  : Numeric SSL/TLS version that the server chose
+		VersionNum int `bson:"version_num" bro:"version_num" brotype:"count"`
+		// Version : SSL/TLS version that the server chose
+		Version string `bson:"version" bro:"version" brotype:"string"`
+		// Cipher : SSL/TLS cipher suite that the server chose
+		Cipher string `bson:"cipher" bro:"cipher" brotype:"string"`
+		// Curve : Elliptic curve the server chose when using ECDH/ECDHE
+		Curve string `bson:"curve" bro:"curve" brotype:"string"`
+		// ServerName : Value of the Server Name Indicator SSL/TLS extension.
+		// It indicates the server name that the client was requesting.
+		ServerName string `bson:"server_name" bro:"server_name" brotype:"string"`
+		// SessionID : Session ID offered by the client for session resumption.
+		// Not used for logging.
+		SessionID string `bson:"session_id" bro:"session_id" brotype:"string"`
+		// Resumed : Flag to indicate if the session was resumed reusing the key
+		// material exchanged in an earlier connection
+		Resumed bool `bson:"resumed" bro:"resumed" brotype:"bool"`
+		// ClientTicketEmptySessionSeen : Flag to indicate if we saw a non-empty
+		// session ticket being sent by the client using an empty session ID.
+		// This value is used to determine if a session is being resumed.
+		// It’s not logged.  Note: may not be present in older bro versions.
+		ClientTicketEmptySessionSeen bool `bson:"client_ticket_empty_session_seen" bro:"client_ticket_empty_session_seen" brotype:"bool"`
+		// ClientKeyExchangeSeen :Flag to indicate if we saw a client key exchange
+		// message sent by the client. This value is used to determine if a session
+		// is being resumed. It’s not logged.
+		// Note: may not be present in older bro versions.
+		ClientKeyExchangeSeen bool `bson:"client_key_exchange_seen" bro:"client_key_exchange_seen" brotype:"bool"`
+		// ServerAppData : Count to track if the server already sent an application
+		// data packet for TLS 1.3. Used to track when a session was established
+		// Note: may not be present in older bro versions.
+		ServerAppData int `bson:"server_appdata" bro:"server_appdata" brotype:"count"`
+		// ClientAppData : Flag to track if the client already sent an application
+		// data packet for TLS 1.3. Used to track when a session was established
+		// Note: may not be present in older bro versions.
+		ClientAppData bool `bson:"client_appdata" bro:"client_appdata" brotype:"bool"`
+		// LastAlert : Last alert that was seen during the connection.
+		LastAlert string `bson:"last_alert" bro:"last_alert" brotype:"string"`
+		// NextProtocol : Next protocol the server chose using the application layer
+		// next protocol extension, if present.
+		NextProtocol string `bson:"next_protocol" bro:"next_protocol" brotype:"string"`
+		// AnalyzerID : The analyzer ID used for the analyzer instance attached to
+		// each connection. It is not used for logging since it’s a meaningless
+		// arbitrary number. Note: may not be present in older bro versions.
+		AnalyzerID int `bson:"analyzer_id" bro:"analyzer_id" brotype:"count"`
+		// Established : Flag to indicate if this ssl session has been established
+		// successfully, or if it was aborted during the handshake
+		Established bool `bson:"established" bro:"established" brotype:"bool"`
+		// Logged : Flag to indicate if this record already has been logged, to
+		// prevent duplicates. Note: may not be present in older bro versions.
+		Logged bool `bson:"logged" bro:"logged" brotype:"bool"`
+		// CertChainFuids
+		CertChainFuids []string `bson:"cert_chain" bro:"cert_chain" brotype:"vector[string]"`
+		// ClientCertChainFuids
+		ClientCertChainFuids []string `bson:"client_cert_chain_fuids"  bro:"client_cert_chain_fuids" brotype:"vector[string]"`
+		// Subject
+		Subject string `bson:"subject"  bro:"subject" brotype:"string"`
+		// Issuer
+		Issuer string `bson:"issuer"  bro:"issuer" brotype:"string"`
+		// ClientSubject
+		ClientSubject string `bson:"client_subject"  bro:"client_subject" brotype:"string"`
+		// ClientIssuer
+		ClientIssuer string `bson:"client_issuer"  bro:"client_issuer" brotype:"string"`
+		// ValidationStatus
+		ValidationStatus string `bson:"validation_status"  bro:"validation_status" brotype:"string"`
+		// ValidationCode  : Numeric SSL/TLS version that the server chose
+		ValidationCode int `bson:"validation_code" bro:"validation_code" brotype:"int"`
+	}
+)
+
+//TargetCollection returns the mongo collection this entry should be inserted
+//into
+func (in *SSL) TargetCollection(config *config.StructureTableCfg) string {
+	return config.SSLTable
+}
+
+//Indices gives MongoDB indices that should be used with the collection
+func (in *SSL) Indices() []string {
+	return []string{"$hashed:id_orig_h", "$hashed:id_resp_h"}
+}

parser/parsetypes/x509.go

@@ -0,0 +1,63 @@
+package parsetypes
+
+import (
+	"github.com/activecm/rita/config"
+)
+
+type (
+	// x509 provides a data structure for bro's connection data
+	x509 struct {
+		// TimeStamp of this connection
+		TimeStamp int64 `bson:"ts" bro:"ts" brotype:"time"`
+		// FileID is the file id of this certificate.
+		FileID string `bson:"file_id" bro:"id" brotype:"string"`
+		// CertificateVersion : version number
+		CertificateVersion int `bson:"cert_version" bro:"certificate.version" brotype:"count"`
+		// CertificateSerial : serial number
+		CertificateSerial string `bson:"cert_serial" bro:"certificate.serial" brotype:"string"`
+		// CertificateSubject : subject
+		CertificateSubject string `bson:"cert_subject" bro:"certificate.subject" brotype:"string"`
+		// CertificateIssuer : issuer
+		CertificateIssuer string `bson:"cert_issuer" bro:"certificate.issuer" brotype:"string"`
+		// CommonName : last (most specific) common name
+		CommonName string `bson:"common_name" bro:"cn" brotype:"string"`
+		// CertNotValidBefore : Timestamp before when certificate is not valid.
+		CertNotValidBefore int64 `bson:"cert_not_valid_before" bro:"certificate.not_valid_before" brotype:"time"`
+		// CertNotValidAfter : Timestamp after when certificate is not valid
+		CertNotValidAfter int64 `bson:"cert_not_valid_after" bro:"certificate.not_valid_after" brotype:"time"`
+		// CertificateKeyAlg : Name of the key algorithm
+		CertificateKeyAlg string `bson:"cert_key_alg" bro:"certificate.key_alg" brotype:"string"`
+		// CertificateSigAlg : Name of the signature algorithm
+		CertificateSigAlg string `bson:"cert_sig_alg" bro:"certificate.sig_alg" brotype:"string"`
+		// CertificateKeyType : Key type, if key parseable by openssl (either rsa, dsa or ec)
+		CertificateKeyType string `bson:"cert_key_type" bro:"certificate.key_type" brotype:"string"`
+		// CertificateKeyLength : Key length in bits
+		CertificateKeyLength int `bson:"cert_key_length" bro:"certificate.key_length" brotype:"count"`
+		// CertificateExponent : Exponent, if RSA-certificate
+		CertificateExponent string `bson:"cert_exponent" bro:"certificate.exponent" brotype:"string"`
+		// CertificateCurve : Curve, if EC-certificate
+		CertificateCurve string `bson:"cert_curve" bro:"certificate.curve" brotype:"string"`
+		// SanDNS : List of DNS entries in SAN (subject alternative name)
+		SanDNS []string `bson:"san_dns" bro:"san.dns" brotype:"vector[string]"`
+		// SanURI : List of URI entries in SAN (subject alternative name)
+		SanURI []string `bson:"san_uri" bro:"san.uri" brotype:"vector[string]"`
+		// SanEmail : List of email entries in SAN (subject alternative name)
+		SanEmail []string `bson:"san_email" bro:"san.email" brotype:"vector[string]"`
+		// SanIP : List of IP entries in SAN (subject alternative name)
+		SanIP []string `bson:"san_ip" bro:"san.ip" brotype:"vector[addr]"`
+		// BasicConstraintsCA : CA flag set?
+		BasicConstraintsCA bool `bson:"basic_constraints_ca" bro:"basic_constraints.ca" brotype:"bool"`
+		// BasicConstraintsPathLen: Maximum path length
+		BasicConstraintsPathLen bool `bson:"basic_constraints_path_len" bro:"basic_constraints.path_len" brotype:"count"`
+	}
+)
+
+//TargetCollection returns the mongo collection this entry should be inserted into
+func (in *x509) TargetCollection(config *config.StructureTableCfg) string {
+	return config.X509Table
+}
+
+//Indices gives MongoDB indices that should be used with the collection
+func (in *x509) Indices() []string {
+	return []string{"$hashed:file_id"}
+}