Merge branch 'master' of github.com:jeffbryner/MozDef

pull master

examples/heka-lua-bro/bro_conn.lua

@@ -60,7 +60,6 @@ function process_message()
         return 0
     end
 
-    -- avoid logging UDP/TCP connections for UDP, remove that if you care
     if matches[8] == "dns" then 
         inject_message(msg)
         return 0 
@@ -81,13 +80,17 @@ function process_message()
     msg.Fields['responsebytes_int'] = toNumber(matches[11])
     msg.Fields['connectionstate'] = toString(matches[12])
     msg.Fields['local_origin'] = toString(matches[13])
-    msg.Fields['missedbytes_int'] = toNumber(matches[14])
-    msg.Fields['history'] = toString(matches[15])
-    msg.Fields['originpkts_int'] = toNumber(matches[16])
-    msg.Fields['originipbytes_int'] = toNumber(matches[17])
-    msg.Fields['responsepackets_int'] = toNumber(matches[18])
-    msg.Fields['responseipbytes_int'] = toNumber(matches[19])
-    msg.Fields['tunnelparents'] = lastField(toString(matches[20]))
+    msg.Fields['local_resp'] = toString(matches[14])
+    msg.Fields['missedbytes_int'] = toNumber(matches[15])
+    msg.Fields['history'] = toString(matches[16])
+    msg.Fields['originpkts_int'] = toNumber(matches[17])
+    msg.Fields['originipbytes_int'] = toNumber(matches[18])
+    msg.Fields['responsepackets_int'] = toNumber(matches[19])
+    msg.Fields['responseipbytes_int'] = toNumber(matches[20])
+    msg.Fields['tunnelparents'] = toString(matches[21])
+    msg.Fields['orig_cc'] = toString(matches[22])
+    msg.Fields['resp_cc'] = toString(matches[23])
+    msg.Fields['peername'] = lastField(toString(matches[24]))
     msg['Payload'] = toString(msg.Fields['sourceipaddress']) .. ":" .. toString(msg.Fields['sourceport']) .. " -> " .. toString(msg.Fields['destinationipaddress']) .. ":" .. toString(msg.Fields['destinationport']) .. " " .. toString(msg.Fields['history']) .. " " .. toString(msg.Fields['originipbytes_int']) .. " bytes / " .. toString(msg.Fields['responseipbytes_int']) .. " bytes"
     inject_message(msg)
     return 0

examples/heka-lua-bro/bro_dns.lua

@@ -78,15 +78,26 @@ function process_message()
         return 0
     end
 
-    if string.find(matches[9], "domainiignore.com$") then
+    if string.find(matches[9], "mozilla.com$") then
 	inject_message(msg)
 	return 0
     end
-    if string.find(matches[9], "anotherignoreddomain.org$") then
+    if string.find(matches[9], "mozilla.org$") then
+	inject_message(msg)
+	return 0
+    end
+    if string.find(matches[9], "allizom.org$") then
+	inject_message(msg)
+	return 0
+    end
+    if matches[9] == "ssh.github.com" then
+	inject_message(msg)
+	return 0
+    end
+    if matches[9] == "js-agent.newrelic.com" then
 	inject_message(msg)
 	return 0
     end
-    -- avoid logging SMB DNS queries and answers. Remove this if you care.
     if matches[13] == "NBSTAT" then
         inject_message(msg)
         return 0

examples/heka-lua-bro/bro_http.lua

@@ -107,14 +107,19 @@ function process_message()
     msg.Fields['orig_mime_types'] = truncate(toString(matches[25]))
     msg.Fields['resp_fuids'] = truncate(toString(matches[26]))
     msg.Fields['resp_mime_types'] = truncate(toString(matches[27]))
-    if lastField(toString(matches[28])) ~= nil then
-        msg.Fields['cluster_client_ip'] = lastField(toString(matches[28]))
+    if toString(matches[28]) ~= nil then
+        msg.Fields['cluster_client_ip'] = toString(matches[28])
     end
     if msg.Fields['cluster_client_ip'] ~= nil then
         msg.Fields['summary'] = nilToString(msg.Fields['cluster_client_ip'])
     else
         msg.Fields['summary'] = nilToString(msg.Fields['sourceipaddress'])
     end
+    if lastField(toString(matches[29])) ~= nil then
+        msg.Fields['backend_server'] = lastField(truncate(toString(matches[29])))
+    else
+        msg.Fields['resp_mime_types'] = lastField(truncate(toString(matches[27])))
+    end
     msg.Fields['summary'] = msg.Fields['summary'] .. " - " .. nilToString(msg.Fields['method']) .. " " .. nilToString(msg.Fields['host']) .. nilToString(msg.Fields['uri']) .. " " .. nilToString(msg.Fields['status_code_int'])
     inject_message(msg)
     return 0

examples/heka-lua-bro/bro_intel.lua

@@ -76,7 +76,10 @@ function process_message()
     msg.Fields['seenindicator'] = toString(matches[10])
     msg.Fields['seenindicatortype'] = toString(matches[11])
     msg.Fields['seenwhere'] = toString(matches[12])
-    msg.Fields['sources'] = lastField(toString(matches[13]))
+    msg.Fields['seennode'] = toString(matches[13])
+    -- because seen.cluster_client_ip is 14 and also the last field
+    msg.Fields['sources'] = toString(matches[15])
+    msg.Fields['clusterclientip'] = lastField(toString(matches[16]))
     msg['Payload'] = "Bro intel match: " .. toString(msg.Fields['seenindicator'])
     inject_message(msg)
     return 0

examples/heka-lua-bro/bro_known_certs.lua

@@ -0,0 +1,73 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-- Copyright (c) 2014 Mozilla Corporation
+--
+-- Contributors:
+-- Anthony Verez averez@mozilla.com
+-- Jeff Bryner jbryner@mozilla.com
+-- Michal Purzynski mpurzynski@mozilla.com
+
+require "lpeg"
+require "string"
+-- Some magic for parsing tab-separated logs
+local sep = lpeg.P"\t"
+local elem = lpeg.C((1-sep)^0)
+local grammar = -lpeg.P"#" * lpeg.Ct(elem * (sep * elem)^0) -- ignore comment, split on tabs, return as table
+
+local msg = {
+    Type = "bro_known_certs",
+    Logger = "nsm",
+    Fields = {
+        -- Initializing our fields
+        ['ts'] = nil,
+        ['host'] = nil,
+        ['port_num_int'] = nil,
+        ['subject'] = nil,
+        ['issuer_subject'] = nil,
+        ['serial'] = nil,
+        summary = nil,
+        severity = "INFO",
+        category = "bro_known_certs",
+        tags = "nsm,bro,known_certs"
+    }
+}
+
+function toString(value)
+    if value == "-" then
+        return nil
+    end
+    return value
+end
+
+function nilToString(value)
+    if value == nil then
+        return ""
+    end
+    return value
+end
+
+function toNumber(value)
+    if value == "-" then
+        return nil
+    end
+    return tonumber(value)
+end
+
+function process_message()
+    local log = read_message("Payload")
+
+    local matches = grammar:match(log)
+    if not matches then return -1 end
+
+    msg.Fields['ts'] = toString(matches[1])
+    msg.Fields['host'] = toString(matches[2])
+    msg.Fields['port_num_int'] = toNumber(matches[3])
+    msg.Fields['subject'] = toString(matches[4])
+    msg.Fields['issuer_subject'] = toString(matches[5])
+    msg.Fields['serial'] = toString(string.sub(matches[6], 1, -2)) -- remove last "\n"
+    msg.Fields['summary'] = nilToString(msg.Fields['host']) .. ":".. nilToString(msg.Fields['port_num_int']) .. " " .. nilToString(msg.Fields['subject'])
+    inject_message(msg)
+    return 0
+end
+

examples/heka-lua-bro/bro_known_devices.lua

@@ -0,0 +1,64 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-- Copyright (c) 2014 Mozilla Corporation
+--
+-- Contributors:
+-- Anthony Verez averez@mozilla.com
+-- Jeff Bryner jbryner@mozilla.com
+-- Michal Purzynski mpurzynski@mozilla.com
+
+local l=require "lpeg"
+local string=require "string"
+l.locale(l) --add locale entries in the lpeg table
+local space = l.space^0  --define a space constant
+local sep = l.P"\t"
+local elem = l.C((1-sep)^0)
+grammar = l.Ct(elem * (sep * elem)^0) -- split on tabs, return as table
+
+function toString(value)
+    if value == "-" then
+        return nil
+    end
+    return value
+end
+
+function nilToString(value)
+    if value == nil then
+        return ""
+    end
+    return value
+end
+
+function process_message()
+    local log = read_message("Payload")
+
+    --set a default msg that heka's
+    --message matcher can ignore via a message matcher:
+    -- message_matcher = "( Type!='heka.all-report' && Type != 'IGNORE' )"
+    local msg = {
+        Type = "IGNORE",
+        Fields={}
+    } 
+    local matches = grammar:match(log)
+    if not matches then
+        --return 0 to not propogate errors to heka's log.
+        --return a message with IGNORE type to not match heka's message matcher
+        inject_message(msg)
+        return 0 
+    end
+    if string.sub(log,1,1)=='#' then
+        --it's a comment line
+        inject_message(msg)
+        return 0
+    end
+
+    msg['Type']='broknownhosts'
+    msg['Logger']='nsm'
+    msg['ts'] = toString(matches[1])
+    msg.Fields['host'] = toString(matches[2])
+    msg['Payload'] = "New host: " .. nilToString(msg.Fields['host'])
+    inject_message(msg)
+    return 0
+end
+

examples/heka-lua-bro/bro_known_services.lua

@@ -0,0 +1,64 @@
+-- This Source Code Form is subject to the terms of the Mozilla Public
+-- License, v. 2.0. If a copy of the MPL was not distributed with this
+-- file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-- Copyright (c) 2014 Mozilla Corporation
+--
+-- Contributors:
+-- Anthony Verez averez@mozilla.com
+-- Jeff Bryner jbryner@mozilla.com
+-- Michal Purzynski mpurzynski@mozilla.com
+
+local l=require "lpeg"
+local string=require "string"
+l.locale(l) --add locale entries in the lpeg table
+local space = l.space^0  --define a space constant
+local sep = l.P"\t"
+local elem = l.C((1-sep)^0)
+grammar = l.Ct(elem * (sep * elem)^0) -- split on tabs, return as table
+
+function toString(value)
+    if value == "-" then
+        return nil
+    end
+    return value
+end
+
+function nilToString(value)
+    if value == nil then
+        return ""
+    end
+    return value
+end
+
+function process_message()
+    local log = read_message("Payload")
+
+    --set a default msg that heka's
+    --message matcher can ignore via a message matcher:
+    -- message_matcher = "( Type!='heka.all-report' && Type != 'IGNORE' )"
+    local msg = {
+        Type = "IGNORE",
+        Fields={}
+    } 
+    local matches = grammar:match(log)
+    if not matches then
+        --return 0 to not propogate errors to heka's log.
+        --return a message with IGNORE type to not match heka's message matcher
+        inject_message(msg)
+        return 0 
+    end
+    if string.sub(log,1,1)=='#' then
+        --it's a comment line
+        inject_message(msg)
+        return 0
+    end
+
+    msg['Type']='broknownhosts'
+    msg['Logger']='nsm'
+    msg['ts'] = toString(matches[1])
+    msg.Fields['host'] = toString(matches[2])
+    msg['Payload'] = "New host: " .. nilToString(msg.Fields['host'])
+    inject_message(msg)
+    return 0
+end
+

examples/heka-lua-bro/bro_notice.lua

@@ -84,14 +84,14 @@ function process_message()
     end
 
     if string.find(matches[13], toString("unknown-")) then
-        --noise from incorrect ssl parsing, should be fixed in Bro 2.4
+        --noise from incorrect ssl parsing
         --unknown-6518900,unknown-11273317,unknown-4522550,unknown-12624352,unknown-4609124,unknown-12586245
         inject_message(msg)
         return 0
     end
 
     if string.find(matches[13], toString("empty")) then
-        --noise from incorrect ssl parsing, should be fixed in Bro 2.4
+        --noise from incorrect ssl parsing
 	-- (empty)
         inject_message(msg)
         return 0
@@ -119,7 +119,7 @@ function process_message()
     msg.Fields['peer_descr'] = toString(matches[18])
     msg.Fields['actions'] = toString(matches[19])
     msg.Fields['suppress_for'] = toString(matches[20])
-    msg.Fields['dropped'] = lastField(toString(matches[21]))
+    msg.Fields['dropped'] = toString(matches[21])
     msg['Payload'] = toString(msg.Fields['note']) .. " " .. toString(msg.Fields['msg']) .. " " .. toString(msg.Fields['sub'])
     inject_message(msg)
     return 0