-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 5b62d50
Showing
36 changed files
with
2,358 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
0.1 | 2020-01-17 | ||
|
||
* Initial release of IKEv2 parser |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
|
||
cmake_minimum_required(VERSION 2.8) | ||
|
||
project(BroPluginIKEv2) | ||
|
||
include(BroPlugin) | ||
|
||
bro_plugin_begin(Zeek IKEv2) | ||
bro_plugin_cc(src/IKEv2.cc src/Plugin.cc) | ||
bro_plugin_bif(src/events.bif src/types.bif) | ||
bro_plugin_pac( src/IKEv2.pac | ||
src/IKEv2-protocol.pac | ||
src/IKEv2-analyzer.pac | ||
) | ||
bro_plugin_dist_files(README CHANGES COPYING VERSION) | ||
bro_plugin_end() | ||
|
||
file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1) | ||
|
||
if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}") | ||
# Allows building rpm/deb packages via "make package" in build dir. | ||
include(ConfigurePackaging) | ||
ConfigurePackaging(${VERSION}) | ||
endif () |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
Crown Copyright 2020, All rights reserved. | ||
|
||
Redistribution and use in source and binary forms, with or without | ||
modification, are permitted provided that the following conditions are met: | ||
|
||
(1) Redistributions of source code must retain the above copyright | ||
notice, this list of conditions and the following disclaimer. | ||
|
||
(2) Redistributions in binary form must reproduce the above copyright | ||
notice, this list of conditions and the following disclaimer in the | ||
documentation and/or other materials provided with the distribution. | ||
|
||
(3) Neither the name of the University of California, Lawrence Berkeley | ||
National Laboratory, U.S. Dept. of Energy, International Computer | ||
Science Institute, nor the names of contributors may be used to endorse | ||
or promote products derived from this software without specific prior | ||
written permission. | ||
|
||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE | ||
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||
POSSIBILITY OF SUCH DAMAGE. | ||
|
||
Note that some files in the distribution may carry their own copyright | ||
notices. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# | ||
# Convenience Makefile providing a few common top-level targets. | ||
# | ||
|
||
cmake_build_dir=build | ||
arch=`uname -s | tr A-Z a-z`-`uname -m` | ||
|
||
all: build-it | ||
|
||
build-it: | ||
@test -e $(cmake_build_dir)/config.status || ./configure | ||
-@test -e $(cmake_build_dir)/CMakeCache.txt && \ | ||
test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep BRO_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \ | ||
echo Updating stale CMake cache && \ | ||
touch $(cmake_build_dir)/CMakeCache.txt | ||
|
||
( cd $(cmake_build_dir) && make ) | ||
|
||
install: | ||
( cd $(cmake_build_dir) && make install ) | ||
|
||
clean: | ||
( cd $(cmake_build_dir) && make clean ) | ||
|
||
distclean: | ||
rm -rf $(cmake_build_dir) | ||
|
||
test: | ||
make -C tests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
|
||
Zeek Plugin IKEv2 | ||
================= | ||
|
||
IKEv2 protocol analyzer for Zeek. | ||
|
||
This protocol analyzer focuses on the IKE_SA_INIT exchange which is unencrypted and used to establish a secure tunnel. | ||
|
||
Useful information such as SPIs, cipher proposals, and vendor IDs are contained in these packets. | ||
|
||
# Installation and Usage | ||
|
||
zeek-plugin-ikev2 is distributed as a [Zeek package](https://packages.zeek.org/) and is compatible with the zkg command line tool. | ||
|
||
# main.zeek | ||
|
||
The main.zeek script generates an ikev2.log log file containing the IKE_SA_INIT response from the VPN gateway with details of the selected cryptographic proposal selected to establish the connection. | ||
|
||
|Field |Description | | ||
|--------------------------|-------------------------------------------------------------| | ||
|ts |Timestamp | | ||
|uid |Connection ID | | ||
|id.orig_h |Originating host | | ||
|id.orig_p |Originating port | | ||
|id.resp_h |Responding host | | ||
|id.resp_p |Responding post | | ||
|is_orig |Packet from originator | | ||
|sa_i |Initiators SPI | | ||
|sa_r |Responders SPI | | ||
|version |IKE version | | ||
|exchange_type |IKE exchange type | | ||
|selected_proposal_number |Selected proposal number | | ||
|selected_transforms |List of transforms selected | | ||
|selected_ke_dh_group_num |Key exchange Diffie-Hellman group number | | ||
|cipher_hash |MD5 hash of selected_transforms and selected_ke_dh_group_num | | ||
|notify_message_type_names |List of notify message types | | ||
|vendor_payloads |List of vendor payloads | | ||
|
||
# Acknowledgements | ||
|
||
* Thanks to Adam R @ukncsc for peer review | ||
|
||
# Maintenance | ||
|
||
This plugin is a side project by Stuart H @ukncsc and so maintenance will be on a best efforts basis. | ||
|
||
# Copyright | ||
|
||
Crown Copyright 2020. | ||
|
||
# License | ||
|
||
Like Zeek, this plugin comes with a BSD license, allowing for free use with virtually no | ||
restrictions. You can find it [here](https://github.com/ukncsc/zeek-plugin-ikev2/blob/master/COPYING). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
|
||
Zeek Plugin IKEv2 | ||
================= | ||
|
||
IKEv2 protocol analyzer for Zeek. | ||
|
||
This protocol analyzer focuses on the IKE_SA_INIT exchange which is unencrypted and used to establish a secure tunnel. | ||
|
||
Useful information such as SPIs, cipher proposals, and vendor IDs are contained in these packets. | ||
|
||
# Installation and Usage | ||
|
||
zeek-plugin-ikev2 is distributed as a [Zeek package](https://packages.zeek.org/) and is compatible with the zkg command line tool. | ||
|
||
# main.zeek | ||
|
||
The main.zeek script generates an ikev2.log log file containing the IKE_SA_INIT response from the VPN gateway with details of the selected cryptographic proposal selected to establish the connection. | ||
|
||
|Field |Description | | ||
|--------------------------|-------------------------------------------------------------| | ||
|ts |Timestamp | | ||
|uid |Connection ID | | ||
|id.orig_h |Originating host | | ||
|id.orig_p |Originating port | | ||
|id.resp_h |Responding host | | ||
|id.resp_p |Responding post | | ||
|is_orig |Packet from originator | | ||
|sa_i |Initiators SPI | | ||
|sa_r |Responders SPI | | ||
|version |IKE version | | ||
|exchange_type |IKE exchange type | | ||
|selected_proposal_number |Selected proposal number | | ||
|selected_transforms |List of transforms selected | | ||
|selected_ke_dh_group_num |Key exchange Diffie-Hellman group number | | ||
|cipher_hash |MD5 hash of selected_transforms and selected_ke_dh_group_num | | ||
|notify_message_type_names |List of notify message types | | ||
|vendor_payloads |List of vendor payloads | | ||
|
||
# Acknowledgements | ||
|
||
* Thanks to Adam R @ukncsc for peer review | ||
|
||
# Maintenance | ||
|
||
This plugin is a side project by Stuart H @ukncsc and so maintenance will be on a best efforts basis. | ||
|
||
# Copyright | ||
|
||
Crown Copyright 2020. | ||
|
||
# License | ||
|
||
Like Zeek, this plugin comes with a BSD license, allowing for free use with virtually no | ||
restrictions. You can find it [here](https://github.com/ukncsc/zeek-plugin-ikev2/blob/master/COPYING). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
0.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,114 @@ | ||
#!/bin/sh | ||
# | ||
# Wrapper for viewing/setting options that the plugin's CMake | ||
# scripts will recognize. | ||
# | ||
# Don't edit this. Edit configure.plugin to add plugin-specific options. | ||
# | ||
|
||
set -e | ||
command="$0 $*" | ||
|
||
if [ -e `dirname $0`/configure.plugin ]; then | ||
# Include custom additions. | ||
. `dirname $0`/configure.plugin | ||
fi | ||
|
||
# Check for `cmake` command. | ||
type cmake > /dev/null 2>&1 || { | ||
echo "\ | ||
This package requires CMake, please install it first, then you may | ||
use this configure script to access CMake equivalent functionality.\ | ||
" >&2; | ||
exit 1; | ||
} | ||
|
||
usage() { | ||
|
||
cat 1>&2 <<EOF | ||
Usage: $0 [OPTIONS] | ||
Plugin Options: | ||
--bro-dist=DIR Path to Bro source tree | ||
--install-root=DIR Path where to install plugin into | ||
EOF | ||
|
||
if type plugin_usage >/dev/null 2>&1; then | ||
plugin_usage 1>&2 | ||
fi | ||
|
||
echo | ||
|
||
exit 1 | ||
} | ||
|
||
# Function to append a CMake cache entry definition to the | ||
# CMakeCacheEntries variable | ||
# $1 is the cache entry variable name | ||
# $2 is the cache entry variable type | ||
# $3 is the cache entry variable value | ||
append_cache_entry () { | ||
CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3" | ||
} | ||
|
||
# set defaults | ||
builddir=build | ||
brodist=`cd ../../.. && pwd` | ||
installroot="default" | ||
CMakeCacheEntries="" | ||
|
||
while [ $# -ne 0 ]; do | ||
case "$1" in | ||
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; | ||
*) optarg= ;; | ||
esac | ||
|
||
case "$1" in | ||
--help|-h) | ||
usage | ||
;; | ||
|
||
--bro-dist=*) | ||
brodist=`cd $optarg && pwd` | ||
;; | ||
|
||
--install-root=*) | ||
installroot=$optarg | ||
;; | ||
|
||
*) | ||
if type plugin_option >/dev/null 2>&1; then | ||
plugin_option $1 && shift && continue; | ||
fi | ||
|
||
echo "Invalid option '$1'. Try $0 --help to see available options." | ||
exit 1 | ||
;; | ||
esac | ||
shift | ||
done | ||
|
||
if [ ! -e "$brodist/bro-path-dev.in" ]; then | ||
echo "Cannot determine Bro source directory, use --bro-dist=DIR." | ||
exit 1 | ||
fi | ||
|
||
append_cache_entry BRO_DIST PATH $brodist | ||
append_cache_entry CMAKE_MODULE_PATH PATH $brodist/cmake | ||
|
||
if [ "$installroot" != "default" ]; then | ||
mkdir -p $installroot | ||
append_cache_entry BRO_PLUGIN_INSTALL_ROOT PATH $installroot | ||
fi | ||
|
||
echo "Build Directory : $builddir" | ||
echo "Bro Source Directory : $brodist" | ||
|
||
mkdir -p $builddir | ||
cd $builddir | ||
|
||
cmake $CMakeCacheEntries .. | ||
|
||
echo "# This is the command used to configure this build" > config.status | ||
echo $command >> config.status | ||
chmod u+x config.status |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/bin/sh | ||
# | ||
# Hooks to add custom options to the configure script. | ||
# | ||
|
||
plugin_usage() | ||
{ | ||
: # Do nothing | ||
# cat <<EOF | ||
# --with-foo=DIR Path to foo | ||
# EOF | ||
} | ||
|
||
plugin_option() | ||
{ | ||
case "$1" in | ||
# --with-foo=*) | ||
# append_cache_entry FOO_DIR PATH $optarg | ||
# return 0 | ||
# ;; | ||
|
||
*) | ||
return 1; | ||
;; | ||
esac | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# | ||
# This is loaded unconditionally at Zeek startup. Include scripts here that should | ||
# always be loaded. | ||
# | ||
# Normally, that will be only code that initializes built-in elements. Load | ||
# your standard scripts in | ||
# scripts/<plugin-namespace>/<plugin-name>/__load__.zeek instead. | ||
# | ||
|
||
@load ./consts.zeek | ||
@load ./main | ||
|
||
@load-sigs ./dpd.sig |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# | ||
# This is loaded unconditionally at Zeek startup before any of the BiFs that the | ||
# plugin defines become available. | ||
# | ||
# This is primarily for defining types that BiFs already depend on. If you need | ||
# to do any other unconditional initialization (usually that's just for other BiF | ||
# elemets), that should go into __load__.zeek instead. | ||
# | ||
|
||
@load ./types.zeek |
Oops, something went wrong.