Initial import.

.cmake-format.json

@@ -0,0 +1,26 @@
+{
+  "parse": {
+    "additional_commands": {
+        "spicy_add_analyzer": {
+            "kwargs": {
+                "NAME": "*",
+                "PACKAGE_NAME": "*",
+                "SOURCES": "*",
+                "SCRIPTS": "*"
+            }
+        }
+    }
+  },
+  "format": {
+    "line_width": 100,
+    "tab_size": 4,
+    "separate_ctrl_name_with_space": true,
+    "max_subgroups_hwrap": 3
+  },
+  "markup": {
+    "enable_markup": false
+  },
+  "lint": {
+      "disabled_codes": ["C0103"]
+  }
+}

.github/workflows/check.yml

@@ -0,0 +1,28 @@
+name: Check
+
+on:
+  pull_request:
+  push:
+    branches: [master]
+
+jobs:
+  Check:
+    runs-on: ubuntu-latest
+    container: zeekurity/spicy
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Prepare
+        env:
+          PATH: /usr/local/bin:/opt/cmake/bin:/opt/spicy/bin:/opt/zeek/bin:/opt/zeek/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+        run: |
+          echo $PATH
+          pip install zkg
+          zkg purge --force
+      - name: Install
+        env:
+          PATH: /usr/local/bin:/opt/cmake/bin:/opt/spicy/bin:/opt/zeek/bin:/opt/zeek/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+        run: |
+          git clean -fd
+          eval $(zkg env)
+          zkg -vvvvv install --force . || cat .zkg/logs/*.log

.github/workflows/pre-commit.yml

@@ -0,0 +1,14 @@
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [master]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-python@v2
+    - uses: pre-commit/[email protected]

.gitignore

@@ -0,0 +1,7 @@
+build
+.idea/
+cmake-build-debug/
+.DS_Store
+*.swp
+*.tmp
+tests/.btest*

.mdlrc

@@ -0,0 +1 @@
+rules "~MD033", "~MD013", "~MD046", "~MD010"

.pre-commit-config.yaml

@@ -0,0 +1,23 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.0.1
+  hooks:
+  - id: trailing-whitespace
+  - id: end-of-file-fixer
+  - id: check-yaml
+  - id: check-added-large-files
+
+- repo: https://github.com/markdownlint/markdownlint
+  rev: v0.11.0
+  hooks:
+  - id: markdownlint
+
+- repo: https://github.com/cheshirekow/cmake-format-precommit
+  rev: v0.6.13
+  hooks:
+  - id: cmake-format
+  - id: cmake-lint
+
+exclude: '^tests/Baseline'

CMakeLists.txt

@@ -10,9 +10,11 @@ spicy_require_version("1.2.0")
 spicy_plugin_require_version("0.99.0")
 zeek_require_version("3.0.0")
 
-if ( NOT CMAKE_BUILD_TYPE )
-    # Default to release build.
-    set(CMAKE_BUILD_TYPE "Release" CACHE STRING "")
-endif ()
+if(NOT CMAKE_BUILD_TYPE)
+  # Default to release build.
+  set(CMAKE_BUILD_TYPE
+      "Release"
+      CACHE STRING "")
+endif()
 
 add_subdirectory(analyzer)

LICENSE

@@ -0,0 +1,29 @@
+Copyright (c) 2021, Corelight, Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+
+(3) Neither the name of Corelight nor the names of any contributors
+    may be used to endorse or promote products derived from this
+    software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSE.3rdparty

@@ -0,0 +1,35 @@
+License for portions of source code that have been
+been copied from https://github.com/ukncsc/zeek-plugin-ikev2/blob/master/scripts/consts.zeek
+
+Crown Copyright 2020, All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+(1) Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+(2) Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+
+(3) Neither the name of the University of California, Lawrence Berkeley
+    National Laboratory, U.S. Dept. of Energy, International Computer
+    Science Institute, nor the names of contributors may be used to endorse
+    or promote products derived from this software without specific prior
+    written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+Note that some files in the distribution may carry their own copyright
+notices.

Readme.md

@@ -0,0 +1,42 @@
+# IPSec
+
+This is a Zeek protocol analyzer that detects IPSec VPN based on Spicy.
+You must install [Spicy](https://docs.zeek.org/projects/spicy/en/latest/)
+to use this package.
+
+A blog detailing the development of this analyzer:
+
+- <https://zeek.org/2021/04/20/zeeks-ipsec-protocol-analyzer/>
+
+## Example Logs
+
+```
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2021-11-23-13-52-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1421270042.835161	CHhAvVGS1DHFjwGM9	192.168.0.10	500	144.76.154.114	500	udp	spicy_ipsec_ike_udp	0.032969	880	308	SF	-	-	0	Dd	1	908	1	336	-
+1421270042.910124	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	udp	spicy_ipsec_udp	2.000258	10416	0	S0	-	-	0	D	3	10500	0	0	-
+#close	2021-11-23-13-52-52
+```
+
+```
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ipsec
+#open	2021-11-23-13-52-52
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	is_orig	initiator_spi	responder_spi	maj_ver	min_ver	exchange_type	flag_e	flag_c	flag_a	flag_i	flag_v	flag_r	message_id	vendor_ids	notify_messages	transforms	ke_dh_groups	proposals	certificates	transform_attributes	length	hash
+#types	time	string	addr	port	addr	port	bool	string	string	count	count	count	bool	bool	bool	bool	bool	bool	count	vector[string]	vector[string]	vector[string]	vector[count]	vector[count]	vector[string]	vector[string]	count	string
+1421270042.835161	CHhAvVGS1DHFjwGM9	192.168.0.10	500	144.76.154.114	500	T	238671c80375a0fb	0000000000000000	2	0	34	F	F	F	T	F	F	0	MS NT5 ISAKMPOAKLEY,MS-Negotiation Discovery Capable,Microsoft Initial-Contact,UNKNOWN:01528bbbc00696121849ab9a1c5b2a5100000002	NAT_DETECTION_SOURCE_IP,NAT_DETECTION_DESTINATION_IP	(empty)	2	1,2,3,4,5,6,7,8,9,10,11,12	(empty)	(empty)	880	d1cd39840e0aaa5420b8f65984bb4f5f
+1421270042.868130	CHhAvVGS1DHFjwGM9	192.168.0.10	500	144.76.154.114	500	F	238671c80375a0fb	73d16a42f60ef7f0	2	0	34	F	F	F	F	F	T	0	(empty)	NAT_DETECTION_SOURCE_IP,NAT_DETECTION_DESTINATION_IP,MULTIPLE_AUTH_SUPPORTED	(empty)	2	1	(empty)	(empty)	308	f1885551a5b169444dd961e94d683d61
+1421270042.910124	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	T	238671c80375a0fb	73d16a42f60ef7f0	2	0	35	F	F	F	T	F	F	1	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	3468	-
+1421270043.910245	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	T	238671c80375a0fb	73d16a42f60ef7f0	2	0	35	F	F	F	T	F	F	1	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	3468	-
+1421270044.910382	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	T	238671c80375a0fb	73d16a42f60ef7f0	2	0	35	F	F	F	T	F	F	1	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	3468	-
+#close	2021-11-23-13-52-52
+```

analyzer/CMakeLists.txt

@@ -1,5 +1,13 @@
 spicy_add_analyzer(
-    NAME IPSEC
-    PACKAGE_NAME IPSEC
-    SOURCES analyzer.spicy analyzer.evt zeek_analyzer.spicy
-    SCRIPTS __load__.zeek main.zeek dpd.sig)
+  NAME
+  IPSEC
+  PACKAGE_NAME
+  IPSEC
+  SOURCES
+  analyzer.spicy
+  analyzer.evt
+  zeek_analyzer.spicy
+  SCRIPTS
+  __load__.zeek
+  main.zeek
+  dpd.sig)

analyzer/__load__.zeek

@@ -1,2 +1,3 @@
 @load-sigs ./dpd.sig
+@load ./consts.zeek
 @load ./main.zeek

analyzer/analyzer.evt

@@ -1,25 +1,78 @@
-# TODO: Adjust here whether this is a file, tcp or ucp analyzer,
-# and the ports the analyzers work on. See
-# https://docs.zeek.org/projects/spicy/en/latest/zeek.html#interface-definitions-evt-files
-# for the DSL used here. Below, the active analyzer declaration defines a protocol analyzer.
-#
-# A file analyzer would be define like this:
-#
-#     file analyzer spicy::ZIP:
-#         parse with ZIP::Archive,
-#         mime-type application/zip;
-#
-# A packet analyzer would look like this:
-
-#     packet analyzer spicy::RawLayer:
-#         parse with Raw Layer::Packet;
-
-protocol analyzer spicy::IPSEC over TCP:
-    parse with zeek_spicy_ipsec::IPSEC,
-    port 8080/tcp;
+protocol analyzer spicy::ipsec_udp over UDP:
+	parse with zeek_spicy_ipsec::IPSecPacketUDP,
+	ports {4500/udp, 4501/udp};
+
+protocol analyzer spicy::ipsec_ike_udp over UDP:
+	parse with zeek_spicy_ipsec::IPSecIKE,
+	ports {500/udp};
+
+protocol analyzer spicy::ipsec_tcp over TCP:
+	parse with zeek_spicy_ipsec::IPSecPacketsTCP,
+	ports {4500/tcp};
 
 import zeek_spicy_ipsec;
 import Zeek_zeek_spicy_ipsec;
 
-# TODO: Connect Spicy-side events with Zeek-side events.
-on zeek_spicy_ipsec::IPSEC -> event IPSEC::message($conn, $is_orig, self.payload);
+on zeek_spicy_ipsec::IPSecIKE -> event IPSEC::ike_message($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_ike_msg(self));
+
+on zeek_spicy_ipsec::IPSecESP -> event IPSEC::esp_message($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_esp_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_SA_Proposal -> event IPSEC::ikev2_sa_proposal($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_proposal_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_SA_Transform -> event IPSEC::ikev2_sa_transform($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_transform_msg(self));
+
+on zeek_spicy_ipsec::DataAttribute -> event IPSEC::ike_data_attribute($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_data_attribute_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_KE_Payload -> event IPSEC::ikev2_ke_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_ke_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_IDi_Payload -> event IPSEC::ikev2_idi_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_id_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_IDr_Payload -> event IPSEC::ikev2_idr_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_id_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_CERT_Payload -> event IPSEC::ikev2_cert_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_cert_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_CERTREQ_Payload -> event IPSEC::ikev2_certreq_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_certreq_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_AUTH_Payload -> event IPSEC::ikev2_auth_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_auth_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_Ni_Payload -> event IPSEC::ikev2_nonce_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_nonce_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_N_Payload -> event IPSEC::ikev2_notify_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_notify_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_D_Payload -> event IPSEC::ikev2_delete_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_delete_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_V_Payload -> event IPSEC::ikev2_vendorid_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_vendorid_msg(self));
+
+on zeek_spicy_ipsec::TrafficSelector -> event IPSEC::ikev2_ts_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_trafficselector_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_E_Payload -> event IPSEC::ikev2_encrypted_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_encrypted_msg(self));
+
+on zeek_spicy_ipsec::ConfigureAttribute -> event IPSEC::ikev2_configuration_attribute($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_configuration_attr_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv2_EAP_Payload -> event IPSEC::ikev2_eap_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_eap_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_SA_Payload -> event IPSEC::ikev1_sa_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_sa_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_P_Payload -> event IPSEC::ikev1_p_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_p_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_T_Payload -> event IPSEC::ikev1_t_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_t_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_KE_Payload -> event IPSEC::ikev1_ke_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_ke_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_ID_Payload -> event IPSEC::ikev1_id_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_id_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_CERT_Payload -> event IPSEC::ikev1_cert_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_cert_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_CR_Payload -> event IPSEC::ikev1_certreq_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_certreq_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_HASH_Payload -> event IPSEC::ikev1_hash_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_hash_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_SIG_Payload -> event IPSEC::ikev1_sig_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_sig_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_NONCE_Payload -> event IPSEC::ikev1_nonce_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_nonce_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_N_Payload -> event IPSEC::ikev1_notify_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_notify_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_D_Payload -> event IPSEC::ikev1_delete_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_delete_msg(self));
+
+on zeek_spicy_ipsec::IPSecIKEv1_VID_Payload -> event IPSEC::ikev1_vid_payload($conn, $is_orig, Zeek_zeek_spicy_ipsec::create_vendorid_msg(self));