Release

ukncsc · Jan 27, 2020 · 5b62d50 · 5b62d50
commit 5b62d50
Show file tree

Hide file tree

Showing 36 changed files with 2,358 additions and 0 deletions.
diff --git a/CHANGES b/CHANGES
@@ -0,0 +1,3 @@
+0.1 | 2020-01-17
+
+    * Initial release of IKEv2 parser
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -0,0 +1,24 @@
+
+cmake_minimum_required(VERSION 2.8)
+
+project(BroPluginIKEv2)
+
+include(BroPlugin)
+
+bro_plugin_begin(Zeek IKEv2)
+bro_plugin_cc(src/IKEv2.cc src/Plugin.cc)
+bro_plugin_bif(src/events.bif src/types.bif)
+bro_plugin_pac( src/IKEv2.pac
+                src/IKEv2-protocol.pac
+                src/IKEv2-analyzer.pac
+            )
+bro_plugin_dist_files(README CHANGES COPYING VERSION)
+bro_plugin_end()
+
+file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/VERSION" VERSION LIMIT_COUNT 1)
+
+if ("${PROJECT_SOURCE_DIR}" STREQUAL "${CMAKE_SOURCE_DIR}")
+    # Allows building rpm/deb packages via "make package" in build dir.
+    include(ConfigurePackaging)
+    ConfigurePackaging(${VERSION})
+endif ()
diff --git a/COPYING b/COPYING
@@ -0,0 +1,32 @@
+Crown Copyright 2020, All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+(3) Neither the name of the University of California, Lawrence Berkeley
+    National Laboratory, U.S. Dept. of Energy, International Computer
+    Science Institute, nor the names of contributors may be used to endorse
+    or promote products derived from this software without specific prior
+    written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the distribution may carry their own copyright
+notices.
diff --git a/Makefile b/Makefile
@@ -0,0 +1,29 @@
+#
+# Convenience Makefile providing a few common top-level targets.
+#
+
+cmake_build_dir=build
+arch=`uname -s | tr A-Z a-z`-`uname -m`
+
+all: build-it
+
+build-it:
+	@test -e $(cmake_build_dir)/config.status || ./configure
+	-@test -e $(cmake_build_dir)/CMakeCache.txt && \
+      test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep BRO_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \
+      echo Updating stale CMake cache && \
+      touch $(cmake_build_dir)/CMakeCache.txt
+
+	( cd $(cmake_build_dir) && make )
+
+install:
+	( cd $(cmake_build_dir) && make install )
+
+clean:
+	( cd $(cmake_build_dir) && make clean )
+
+distclean:
+	rm -rf $(cmake_build_dir)
+
+test:
+	make -C tests
diff --git a/README b/README
@@ -0,0 +1,54 @@
+
+Zeek Plugin IKEv2
+=================
+
+IKEv2 protocol analyzer for Zeek.
+
+This protocol analyzer focuses on the IKE_SA_INIT exchange which is unencrypted and used to establish a secure tunnel.
+
+Useful information such as SPIs, cipher proposals, and vendor IDs are contained in these packets.
+
+# Installation and Usage
+
+zeek-plugin-ikev2 is distributed as a [Zeek package](https://packages.zeek.org/) and is compatible with the zkg command line tool.
+
+# main.zeek
+
+The main.zeek script generates an ikev2.log log file containing the IKE_SA_INIT response from the VPN gateway with details of the selected cryptographic proposal selected to establish the connection.
+
+|Field                     |Description                                                  |
+|--------------------------|-------------------------------------------------------------|
+|ts                        |Timestamp                                                    |
+|uid                       |Connection ID                                                |
+|id.orig_h                 |Originating host                                             |
+|id.orig_p                 |Originating port                                             |
+|id.resp_h                 |Responding host                                              |
+|id.resp_p                 |Responding post                                              |
+|is_orig                   |Packet from originator                                       |
+|sa_i                      |Initiators SPI                                               |
+|sa_r                      |Responders SPI                                               | 
+|version                   |IKE version                                                  |
+|exchange_type             |IKE exchange type                                            |
+|selected_proposal_number  |Selected proposal number                                     |
+|selected_transforms       |List of transforms selected                                  |
+|selected_ke_dh_group_num  |Key exchange Diffie-Hellman group number                    |
+|cipher_hash               |MD5 hash of selected_transforms and selected_ke_dh_group_num |
+|notify_message_type_names |List of notify message types                                 |
+|vendor_payloads           |List of vendor payloads                                      |
+
+# Acknowledgements
+
+* Thanks to Adam R @ukncsc for peer review
+
+# Maintenance
+
+This plugin is a side project by Stuart H @ukncsc and so maintenance will be on a best efforts basis.
+
+# Copyright
+
+Crown Copyright 2020.
+
+# License
+
+Like Zeek, this plugin comes with a BSD license, allowing for free use with virtually no
+restrictions. You can find it [here](https://github.com/ukncsc/zeek-plugin-ikev2/blob/master/COPYING).
diff --git a/README.md b/README.md
@@ -0,0 +1,54 @@
+
+Zeek Plugin IKEv2
+=================
+
+IKEv2 protocol analyzer for Zeek.
+
+This protocol analyzer focuses on the IKE_SA_INIT exchange which is unencrypted and used to establish a secure tunnel.
+
+Useful information such as SPIs, cipher proposals, and vendor IDs are contained in these packets.
+
+# Installation and Usage
+
+zeek-plugin-ikev2 is distributed as a [Zeek package](https://packages.zeek.org/) and is compatible with the zkg command line tool.
+
+# main.zeek
+
+The main.zeek script generates an ikev2.log log file containing the IKE_SA_INIT response from the VPN gateway with details of the selected cryptographic proposal selected to establish the connection.
+
+|Field                     |Description                                                  |
+|--------------------------|-------------------------------------------------------------|
+|ts                        |Timestamp                                                    |
+|uid                       |Connection ID                                                |
+|id.orig_h                 |Originating host                                             |
+|id.orig_p                 |Originating port                                             |
+|id.resp_h                 |Responding host                                              |
+|id.resp_p                 |Responding post                                              |
+|is_orig                   |Packet from originator                                       |
+|sa_i                      |Initiators SPI                                               |
+|sa_r                      |Responders SPI                                               | 
+|version                   |IKE version                                                  |
+|exchange_type             |IKE exchange type                                            |
+|selected_proposal_number  |Selected proposal number                                     |
+|selected_transforms       |List of transforms selected                                  |
+|selected_ke_dh_group_num  |Key exchange Diffie-Hellman group number                    |
+|cipher_hash               |MD5 hash of selected_transforms and selected_ke_dh_group_num |
+|notify_message_type_names |List of notify message types                                 |
+|vendor_payloads           |List of vendor payloads                                      |
+
+# Acknowledgements
+
+* Thanks to Adam R @ukncsc for peer review
+
+# Maintenance
+
+This plugin is a side project by Stuart H @ukncsc and so maintenance will be on a best efforts basis.
+
+# Copyright
+
+Crown Copyright 2020.
+
+# License
+
+Like Zeek, this plugin comes with a BSD license, allowing for free use with virtually no
+restrictions. You can find it [here](https://github.com/ukncsc/zeek-plugin-ikev2/blob/master/COPYING).
diff --git a/VERSION b/VERSION
@@ -0,0 +1 @@
+0.1
diff --git a/configure b/configure
@@ -0,0 +1,114 @@
+#!/bin/sh
+#
+# Wrapper for viewing/setting options that the plugin's CMake
+# scripts will recognize.
+#
+# Don't edit this. Edit configure.plugin to add plugin-specific options.
+#
+
+set -e
+command="$0 $*"
+
+if [ -e `dirname $0`/configure.plugin ]; then
+    # Include custom additions.
+    . `dirname $0`/configure.plugin
+fi
+
+# Check for `cmake` command.
+type cmake > /dev/null 2>&1 || {
+    echo "\
+This package requires CMake, please install it first, then you may
+use this configure script to access CMake equivalent functionality.\
+" >&2;
+    exit 1;
+}
+
+usage() {
+
+cat 1>&2 <<EOF
+Usage: $0 [OPTIONS]
+
+  Plugin Options:
+    --bro-dist=DIR             Path to Bro source tree
+    --install-root=DIR         Path where to install plugin into
+EOF
+
+if type plugin_usage >/dev/null 2>&1; then
+    plugin_usage 1>&2
+fi
+
+echo
+
+exit 1
+}
+
+# Function to append a CMake cache entry definition to the
+# CMakeCacheEntries variable
+#   $1 is the cache entry variable name
+#   $2 is the cache entry variable type
+#   $3 is the cache entry variable value
+append_cache_entry () {
+    CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
+}
+
+# set defaults
+builddir=build
+brodist=`cd ../../.. && pwd`
+installroot="default"
+CMakeCacheEntries=""
+
+while [ $# -ne 0 ]; do
+    case "$1" in
+        -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+        *) optarg= ;;
+    esac
+
+    case "$1" in
+        --help|-h)
+            usage
+            ;;
+
+        --bro-dist=*)
+            brodist=`cd $optarg && pwd`
+            ;;
+
+        --install-root=*)
+            installroot=$optarg
+            ;;
+
+        *)
+            if type plugin_option >/dev/null 2>&1; then
+                plugin_option $1 && shift && continue;
+            fi
+
+            echo "Invalid option '$1'.  Try $0 --help to see available options."
+            exit 1
+            ;;
+    esac
+    shift
+done
+
+if [ ! -e "$brodist/bro-path-dev.in" ]; then
+    echo "Cannot determine Bro source directory, use --bro-dist=DIR."
+    exit 1
+fi
+
+append_cache_entry BRO_DIST PATH $brodist
+append_cache_entry CMAKE_MODULE_PATH PATH $brodist/cmake
+
+if [ "$installroot" != "default" ]; then
+    mkdir -p $installroot
+    append_cache_entry BRO_PLUGIN_INSTALL_ROOT PATH $installroot
+fi
+
+echo "Build Directory        : $builddir"
+echo "Bro Source Directory   : $brodist"
+
+mkdir -p $builddir
+cd $builddir
+
+cmake $CMakeCacheEntries ..
+
+echo "# This is the command used to configure this build" > config.status
+echo $command >> config.status
+chmod u+x config.status
diff --git a/configure.plugin b/configure.plugin
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# Hooks to add custom options to the configure script.
+#
+
+plugin_usage()
+{
+    : # Do nothing
+#    cat <<EOF
+#    --with-foo=DIR          Path to foo
+# EOF
+}
+
+plugin_option()
+{
+    case "$1" in
+#        --with-foo=*)
+#            append_cache_entry FOO_DIR PATH $optarg
+#            return 0
+#            ;;
+
+        *)
+            return 1;
+            ;;
+    esac
+}
diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek
@@ -0,0 +1,13 @@
+#
+# This is loaded unconditionally at Zeek startup. Include scripts here that should
+# always be loaded.
+#
+# Normally, that will be only code that initializes built-in elements. Load
+# your standard scripts in
+# scripts/<plugin-namespace>/<plugin-name>/__load__.zeek instead.
+#
+
+@load ./consts.zeek
+@load ./main
+
+@load-sigs ./dpd.sig
diff --git a/scripts/__preload__.zeek b/scripts/__preload__.zeek
@@ -0,0 +1,10 @@
+#
+# This is loaded unconditionally at Zeek startup before any of the BiFs that  the
+# plugin defines become available.
+#
+# This is primarily for defining types that BiFs already depend on. If you need
+# to do any other unconditional initialization (usually that's just for other BiF
+# elemets), that should go into __load__.zeek instead.
+#
+
+@load ./types.zeek