From a86f595b7f8c0e8376d1278a6e5ca7fe3ede3050 Mon Sep 17 00:00:00 2001 From: Seth Hall Date: Mon, 8 Feb 2021 13:35:58 -0500 Subject: [PATCH] Upgrade to Zeek 4.0 --- CMakeLists.txt | 17 +-- Makefile | 2 +- VERSION | 1 - configure | 119 ++++++++++++++---- .../PE_XOR/{__load__.bro => __load__.zeek} | 2 +- .../Corelight/PE_XOR/{main.bro => main.zeek} | 2 +- scripts/__load__.bro | 14 --- scripts/__load__.zeek | 8 ++ scripts/{init.bro => init.zeek} | 0 src/PE_XOR.cc | 29 ++--- src/PE_XOR.h | 27 ++-- src/Plugin.cc | 31 +++-- src/Plugin.h | 6 +- tests/Baseline/pe_xor.nuclear_ek/files.log | 26 ---- tests/Baseline/pe_xor.nuclear_ek/http.log | 14 --- tests/Baseline/pe_xor.nuclear_ek/notice.log | 11 +- tests/Baseline/pe_xor.nuclear_ek/pe.log | 10 -- tests/Scripts/diff-remove-timestamps | 13 ++ tests/Scripts/get-bro-env | 21 ---- tests/Scripts/get-zeek-env | 36 ++++++ tests/btest.cfg | 12 +- .../{nuclear_ek.bro => nuclear_ek.zeek} | 5 +- tests/pe_xor/show-plugin.bro | 2 - tests/pe_xor/show-plugin.zeek | 2 + tests/random.seed | 21 ++++ 25 files changed, 246 insertions(+), 185 deletions(-) delete mode 100644 VERSION rename scripts/Corelight/PE_XOR/{__load__.bro => __load__.zeek} (88%) rename scripts/Corelight/PE_XOR/{main.bro => main.zeek} (96%) delete mode 100644 scripts/__load__.bro create mode 100644 scripts/__load__.zeek rename scripts/{init.bro => init.zeek} (100%) delete mode 100644 tests/Baseline/pe_xor.nuclear_ek/files.log delete mode 100644 tests/Baseline/pe_xor.nuclear_ek/http.log delete mode 100644 tests/Baseline/pe_xor.nuclear_ek/pe.log create mode 100755 tests/Scripts/diff-remove-timestamps delete mode 100755 tests/Scripts/get-bro-env create mode 100755 tests/Scripts/get-zeek-env rename tests/pe_xor/{nuclear_ek.bro => nuclear_ek.zeek} (52%) delete mode 100644 tests/pe_xor/show-plugin.bro create mode 100644 tests/pe_xor/show-plugin.zeek create mode 100644 tests/random.seed diff --git a/CMakeLists.txt b/CMakeLists.txt index d3ee266..2bf931a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,12 +1,13 @@ -cmake_minimum_required(VERSION 2.8) +cmake_minimum_required(VERSION 3.5 FATAL_ERROR) -project(Plugin) +project(ZeekPluginXorExe) -include(BroPlugin) +include(ZeekPlugin) + +zeek_plugin_begin(Corelight PE_XOR) +zeek_plugin_cc(src/PE_XOR.cc src/Plugin.cc) +zeek_plugin_bif(src/pe_xor.bif) +zeek_plugin_dist_files(README CHANGES COPYING VERSION) +zeek_plugin_end() -bro_plugin_begin(Corelight PE_XOR) -bro_plugin_cc(src/PE_XOR.cc src/Plugin.cc) -bro_plugin_bif(src/pe_xor.bif) -bro_plugin_dist_files(README CHANGES COPYING VERSION) -bro_plugin_end() diff --git a/Makefile b/Makefile index e083d5b..e96720f 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ all: build-it build-it: @test -e $(cmake_build_dir)/config.status || ./configure -@test -e $(cmake_build_dir)/CMakeCache.txt && \ - test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep BRO_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \ + test $(cmake_build_dir)/CMakeCache.txt -ot `cat $(cmake_build_dir)/CMakeCache.txt | grep ZEEK_DIST | cut -d '=' -f 2`/build/CMakeCache.txt && \ echo Updating stale CMake cache && \ touch $(cmake_build_dir)/CMakeCache.txt diff --git a/VERSION b/VERSION deleted file mode 100644 index 49d5957..0000000 --- a/VERSION +++ /dev/null @@ -1 +0,0 @@ -0.1 diff --git a/configure b/configure index 1d97bbe..ba695cb 100755 --- a/configure +++ b/configure @@ -14,26 +14,23 @@ if [ -e `dirname $0`/configure.plugin ]; then . `dirname $0`/configure.plugin fi -# Check for `cmake` command. -type cmake > /dev/null 2>&1 || { - echo "\ -This package requires CMake, please install it first, then you may -use this configure script to access CMake equivalent functionality.\ -" >&2; - exit 1; -} - usage() { cat 1>&2 </dev/null 2>&1; then +if type plugin_usage >/dev/null 2>&1; then plugin_usage 1>&2 fi @@ -53,7 +50,7 @@ append_cache_entry () { # set defaults builddir=build -brodist=`cd ../../.. && pwd` +zeekdist="" installroot="default" CMakeCacheEntries="" @@ -68,16 +65,43 @@ while [ $# -ne 0 ]; do usage ;; - --bro-dist=*) - brodist=`cd $optarg && pwd` + --cmake=*) + CMakeCommand=$optarg + ;; + + --zeek-dist=*) + zeekdist=`cd $optarg && pwd` ;; --install-root=*) installroot=$optarg ;; + --with-binpac=*) + append_cache_entry BinPAC_ROOT_DIR PATH $optarg + binpac_root=$optarg + ;; + + --with-broker=*) + append_cache_entry BROKER_ROOT_DIR PATH $optarg + broker_root=$optarg + ;; + + --with-caf=*) + append_cache_entry CAF_ROOT_DIR PATH $optarg + caf_root=$optarg + ;; + + --with-bifcl=*) + append_cache_entry BifCl_EXE PATH $optarg + ;; + + --enable-debug) + append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true + ;; + *) - if type -t plugin_option >/dev/null 2>&1; then + if type plugin_option >/dev/null 2>&1; then plugin_option $1 && shift && continue; fi @@ -88,13 +112,64 @@ while [ $# -ne 0 ]; do shift done -if [ ! -e "$brodist/bro-path-dev.in" ]; then - echo "Cannot determine Bro source directory, use --bro-dist=DIR." - exit 1 +if [ -z "$CMakeCommand" ]; then + # prefer cmake3 over "regular" cmake (cmake == cmake2 on RHEL) + if command -v cmake3 >/dev/null 2>&1 ; then + CMakeCommand="cmake3" + elif command -v cmake >/dev/null 2>&1 ; then + CMakeCommand="cmake" + else + echo "This package requires CMake, please install it first." + echo "Then you may use this script to configure the CMake build." + echo "Note: pass --cmake=PATH to use cmake in non-standard locations." + exit 1; + fi fi -append_cache_entry BRO_DIST PATH $brodist -append_cache_entry CMAKE_MODULE_PATH PATH $brodist/cmake +if [ -z "$zeekdist" ]; then + if type zeek-config >/dev/null 2>&1; then + zeek_config="zeek-config" + else + echo "Either 'zeek-config' must be in PATH or '--zeek-dist=' used" + exit 1 + fi + + append_cache_entry BRO_CONFIG_PREFIX PATH `${zeek_config} --prefix` + append_cache_entry BRO_CONFIG_INCLUDE_DIR PATH `${zeek_config} --include_dir` + append_cache_entry BRO_CONFIG_PLUGIN_DIR PATH `${zeek_config} --plugin_dir` + append_cache_entry BRO_CONFIG_LIB_DIR PATH `${zeek_config} --lib_dir` + append_cache_entry BRO_CONFIG_CMAKE_DIR PATH `${zeek_config} --cmake_dir` + append_cache_entry CMAKE_MODULE_PATH PATH `${zeek_config} --cmake_dir` + + build_type=`${zeek_config} --build_type` + + if [ "$build_type" = "debug" ]; then + append_cache_entry BRO_PLUGIN_ENABLE_DEBUG BOOL true + fi + + if [ -z "$binpac_root" ]; then + append_cache_entry BinPAC_ROOT_DIR PATH `${zeek_config} --binpac_root` + fi + + if [ -z "$broker_root" ]; then + append_cache_entry BROKER_ROOT_DIR PATH `${zeek_config} --broker_root` + fi + + if [ -z "$caf_root" ]; then + append_cache_entry CAF_ROOT_DIR PATH `${zeek_config} --caf_root` + fi +else + if [ ! -e "$zeekdist/zeek-path-dev.in" ]; then + echo "$zeekdist does not appear to be a valid Zeek source tree." + exit 1 + fi + + # BRO_DIST is the canonical/historical name used by plugin CMake scripts + # ZEEK_DIST doesn't serve a function at the moment, but set/provided anyway + append_cache_entry BRO_DIST PATH $zeekdist + append_cache_entry ZEEK_DIST PATH $zeekdist + append_cache_entry CMAKE_MODULE_PATH PATH $zeekdist/cmake +fi if [ "$installroot" != "default" ]; then mkdir -p $installroot @@ -102,12 +177,12 @@ if [ "$installroot" != "default" ]; then fi echo "Build Directory : $builddir" -echo "Bro Source Directory : $brodist" +echo "Zeek Source Directory : $zeekdist" mkdir -p $builddir cd $builddir -cmake $CMakeCacheEntries .. +"$CMakeCommand" $CMakeCacheEntries .. echo "# This is the command used to configure this build" > config.status echo $command >> config.status diff --git a/scripts/Corelight/PE_XOR/__load__.bro b/scripts/Corelight/PE_XOR/__load__.zeek similarity index 88% rename from scripts/Corelight/PE_XOR/__load__.bro rename to scripts/Corelight/PE_XOR/__load__.zeek index ab229b8..53e9c3d 100644 --- a/scripts/Corelight/PE_XOR/__load__.bro +++ b/scripts/Corelight/PE_XOR/__load__.zeek @@ -2,5 +2,5 @@ # loaded automatically at that point. # -@load ./main.bro +@load ./main diff --git a/scripts/Corelight/PE_XOR/main.bro b/scripts/Corelight/PE_XOR/main.zeek similarity index 96% rename from scripts/Corelight/PE_XOR/main.bro rename to scripts/Corelight/PE_XOR/main.zeek index 0fd23ab..0b4af69 100644 --- a/scripts/Corelight/PE_XOR/main.bro +++ b/scripts/Corelight/PE_XOR/main.zeek @@ -1,7 +1,7 @@ ##! Detect Windows executable (PE) files that are XOR-encrypted. ##! The XOR key can be up to 30 characters long. ##! -##! Copyright 2017, Corelight, Inc. All rights reserved. +##! Copyright 2017-2021, Corelight, Inc. All rights reserved. @load base/frameworks/files @load base/frameworks/notice diff --git a/scripts/__load__.bro b/scripts/__load__.bro deleted file mode 100644 index 540aeb8..0000000 --- a/scripts/__load__.bro +++ /dev/null @@ -1,14 +0,0 @@ -# -# This is loaded unconditionally at Bro startup. Include scripts here that should -# always be loaded. -# -# Normally, that will be only code that initializes built-in elements. Load -# your standard scripts in -# scripts///__load__.bro instead. -# - -@load ./init.bro -@load ./Corelight/PE_XOR - - - diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek new file mode 100644 index 0000000..d5ae7b1 --- /dev/null +++ b/scripts/__load__.zeek @@ -0,0 +1,8 @@ +# This is loaded unconditionally at Zeek startup. Include scripts here that should +# always be loaded. + +@load ./init +@load ./Corelight/PE_XOR + + + diff --git a/scripts/init.bro b/scripts/init.zeek similarity index 100% rename from scripts/init.bro rename to scripts/init.zeek diff --git a/src/PE_XOR.cc b/src/PE_XOR.cc index 188776e..37b8c3d 100644 --- a/src/PE_XOR.cc +++ b/src/PE_XOR.cc @@ -1,18 +1,16 @@ // Copyright 2017, Corelight, Inc. All rights reserved. -#include "BroString.h" - #include "PE_XOR.h" -#include "file_analysis/Manager.h" +#include "zeek/file_analysis/Manager.h" #define NULL_SECTION_START 0x1a #define NULL_SECTION_END 0x38 #define MAX_KEY_LEN 30 -using namespace file_analysis; +namespace zeek::file_analysis::detail { -PE_XOR::PE_XOR(RecordVal* args, File* file) - : file_analysis::Analyzer(file_mgr->GetComponentTag("PE_XOR"), args, file) +PE_XOR::PE_XOR(RecordValPtr args, file_analysis::File* file) + : file_analysis::Analyzer(file_mgr->GetComponentTag("PE_XOR"), std::move(args), file) { offset = 0; key_found = false; @@ -30,7 +28,7 @@ bool PE_XOR::DeliverStream(const u_char* data, uint64_t len) if ( ! key_found && len < 512 ) { - // This probably shouln't happen. + // This probably shouldn't happen. skip = true; return true; } @@ -42,11 +40,10 @@ bool PE_XOR::DeliverStream(const u_char* data, uint64_t len) { file_id = file_mgr->HashHandle(GetFile()->GetID()); - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - vl->append(new StringVal(new BroString((const u_char *)key, key_len, 1))); - vl->append(new StringVal(file_id)); - mgr.QueueEvent(pe_xor_found, vl); + zeek::event_mgr.Enqueue(pe_xor_found, + GetFile()->ToVal(), + zeek::make_intrusive(key_len, reinterpret_cast(key)), + zeek::make_intrusive(file_id)); } else { @@ -61,14 +58,12 @@ bool PE_XOR::DeliverStream(const u_char* data, uint64_t len) for ( uint64_t i = 0; i < len; ++i ) plaintext[i] = data[i] ^ key[(i + offset) % key_len]; - file_mgr->DataIn(plaintext, len, file_id, string(fmt("XOR decrypted from ")) + GetFile()->GetID()); + file_mgr->DataIn(plaintext, len, file_id, std::string(zeek::util::fmt("XOR decrypted from ")) + GetFile()->GetID()); } else { - val_list* vl = new val_list(); - vl->append(GetFile()->GetVal()->Ref()); - mgr.QueueEvent(pe_xor_not_found, vl); + zeek::event_mgr.Enqueue(pe_xor_not_found, GetFile()->ToVal()); } @@ -149,3 +144,5 @@ bool PE_XOR::EndOfFile() file_mgr->EndOfFile(file_id); return false; } + +} // namespace zeek::file_analysis::detail diff --git a/src/PE_XOR.h b/src/PE_XOR.h index c2dac85..a15f2b4 100644 --- a/src/PE_XOR.h +++ b/src/PE_XOR.h @@ -1,31 +1,31 @@ -// Copyright 2017, Corelight, Inc. All rights reserved. +// Copyright 2017-2021, Corelight, Inc. All rights reserved. #pragma once -#include "Val.h" -#include "file_analysis/File.h" -#include "file_analysis/Analyzer.h" +#include + +#include "zeek/file_analysis/File.h" +#include "zeek/file_analysis/Analyzer.h" #include "pe_xor.bif.h" -namespace file_analysis { +namespace zeek::file_analysis::detail { /** * Analyze XOR-encrypted Portable Executable files */ class PE_XOR : public file_analysis::Analyzer { public: - ~PE_XOR(); + ~PE_XOR() override; - static file_analysis::Analyzer* Instantiate(RecordVal* args, File* file) + static file_analysis::Analyzer* Instantiate(RecordValPtr args, file_analysis::File* file) { return new PE_XOR(args, file); } - virtual bool DeliverStream(const u_char* data, uint64_t len); - - virtual bool EndOfFile(); + bool DeliverStream(const u_char* data, uint64_t len) override; + bool EndOfFile() override; protected: - PE_XOR(RecordVal* args, File* file); + PE_XOR(RecordValPtr args, file_analysis::File* file); bool FindKey(const u_char* data); @@ -41,8 +41,9 @@ class PE_XOR : public file_analysis::Analyzer { bool key_found; bool skip; - string file_id; + std::string file_id; }; -} // namespace file_analysis +} // namespace zeek::file_analysis::detail + diff --git a/src/Plugin.cc b/src/Plugin.cc index 57980ec..6437c71 100644 --- a/src/Plugin.cc +++ b/src/Plugin.cc @@ -1,23 +1,22 @@ // Copyright 2017, Corelight, Inc. All rights reserved. -#include "Plugin.h" +#include "zeek/plugin/Plugin.h" +#include "zeek/file_analysis/Component.h" #include "PE_XOR.h" -#include "plugin/Plugin.h" -#include "file_analysis/Component.h" +namespace zeek::plugin::detail::Corelight_PE_XOR { -namespace plugin { namespace Corelight_PE_XOR { Plugin plugin; } } +class Plugin : public zeek::plugin::Plugin { +public: + zeek::plugin::Configuration Configure() override + { + AddComponent(new zeek::file_analysis::Component("PE_XOR", zeek::file_analysis::detail::PE_XOR::Instantiate)); -using namespace plugin::Corelight_PE_XOR; + zeek::plugin::Configuration config; + config.name = "Corelight::PE_XOR"; + config.description = "Plugin to detect and decrypt XOR-encrypted EXEs"; + return config; + } +} plugin; -plugin::Configuration Plugin::Configure() - { - AddComponent(new ::file_analysis::Component("PE_XOR", ::file_analysis::PE_XOR::Instantiate)); - - plugin::Configuration config; - config.name = "Corelight::PE_XOR"; - config.description = "Plugin to detect and decrypt XOR-encrypted EXEs"; - config.version.major = 1; - config.version.minor = 2; - return config; - } +} diff --git a/src/Plugin.h b/src/Plugin.h index 4b610d6..e0369e2 100644 --- a/src/Plugin.h +++ b/src/Plugin.h @@ -1,10 +1,10 @@ -// Copyright 2017, Corelight, Inc. All rights reserved. +// Copyright 2017-2021, Corelight, Inc. All rights reserved. #pragma once -#include +#include -namespace plugin { +namespace zeek::plugin { namespace Corelight_PE_XOR { class Plugin : public ::plugin::Plugin diff --git a/tests/Baseline/pe_xor.nuclear_ek/files.log b/tests/Baseline/pe_xor.nuclear_ek/files.log deleted file mode 100644 index 988ca4a..0000000 --- a/tests/Baseline/pe_xor.nuclear_ek/files.log +++ /dev/null @@ -1,26 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path files -#open 2017-07-15-16-05-23 -#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted extracted_cutoff extracted_size -#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string bool count -1428602839.486930 FDfOpRPqMYk61IR23 108.61.188.200 192.168.122.89 CHhAvVGS1DHFjwGM9 HTTP 0 PE_XOR text/html - 0.347077 - F 43962 - 0 0 F - - - - - - - -1428602840.129090 F8iRoX3bBJRy0nUlMi 108.61.188.200 192.168.122.89 CHhAvVGS1DHFjwGM9 HTTP 0 PE_XOR application/x-shockwave-flash 4a71 0.059273 - F 15463 15463 0 0 F - - - - - - - -1428602842.525435 FYBGcJ87VHkNoFjU2 (empty) (empty) (empty) XOR decrypted from FCS4r5gqymgxis4D2 0 PE,PE_XOR application/x-dosexec - 2.480445 - - 929792 - 0 0 F - - - - - - - -1428602842.524765 FCS4r5gqymgxis4D2 108.61.188.200 192.168.122.89 ClEkJM2Vm5giqnMf4h HTTP 0 PE_XOR - 4a71 2.481115 - F 929792 929792 0 0 F - - - - - - - -1428602848.190101 F3kS7x41EhAWb5TSr 208.83.223.34 192.168.122.89 C4J4Th3PJpwUYZZ6gc SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 451 - 0 0 F - 010b8a1f895912fcfabbb5815e135121 00fed3f0593a011b0175d549a8f5bc171b6d5c22 - - - - -1428602849.066615 FpjwMG2ruqYhNGtGa1 216.58.216.205 192.168.122.89 CUM0KZ3MLUfNB0cl11 SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 1156 - 0 0 F - 4f70e1becce15c750ee17486206c1f0f c91cf78a7bb25a7b8f372705fb7eaaae4a75da6e - - - - -1428602849.066615 FXUwCl18ZAb5lNlXMk 216.58.216.205 192.168.122.89 CUM0KZ3MLUfNB0cl11 SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - - - -1428602849.066615 F4BE024eOsC1A5AdOa 216.58.216.205 192.168.122.89 CUM0KZ3MLUfNB0cl11 SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - - - -1428602849.704907 FBVYrp23bkYp4qIdo8 173.194.43.74 192.168.122.89 CP5puj4I8PtEU4qzYg SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 1410 - 0 0 F - 661ffc2f50b856dc763b288163a1d091 589895422ab16511e1495151ccef1296246c0f92 - - - - -1428602849.704907 FJtbGe26tAJS7lFcCh 173.194.43.74 192.168.122.89 CP5puj4I8PtEU4qzYg SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 1012 - 0 0 F - 46f1bf2f24dd3aa9cfd760a3bade5ec7 bbdce13e9d537a5229915cb123c7aab0a855e798 - - - - -1428602849.704907 F1Pcft4OKv48jJwbob 173.194.43.74 192.168.122.89 CP5puj4I8PtEU4qzYg SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 897 - 0 0 F - 2e7db2a31d0e3da4b25f49b9542a2e1a 7359755c6df9a0abc3060bce369564c8ec4542a3 - - - - -1428602853.526081 FK531n1WIOCVbDsLGd 86.59.21.38 192.168.122.89 C0LAHyvtKSQHyJxIl SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 454 - 0 0 F - 198425edc45935ee452818e8edd6382b b04b8ef048e1413ebbe1f0d42049ad22b3ceaed2 - - - - -1428602855.845386 FB224W9tNHIJOpog7 178.254.8.187 192.168.122.89 CFLRIC3zaTU1loLGxh SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 451 - 0 0 F - f096dae73e1f840ddf3cc5809e237b6f 679e34cc49219f923a1e2daea35275314263e45f - - - - -1428602855.944397 FPaZet4gIRVBYHRVP1 46.252.26.2 192.168.122.89 Ck51lg1bScffFj34Ri SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 443 - 0 0 F - 2fb2c1e617adc9fe52c66cbe100372b3 6b64545c752f2fb319662ea7397a5e33cbba3e97 - - - - -1428602856.287500 F9GW3T6G7yN9DAxp4 91.220.163.62 192.168.122.89 C9rXSW3KSpTYvPrlI1 SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 448 - 0 0 F - 90a81f934e6baa2eb3109e6cfdf5ef6f ec4800be2e6c3f18c2071518740cb24d5a1e4ef3 - - - - -1428602877.338739 FUgXmH3i54OERhzRG2 77.72.80.9 192.168.122.89 CNnMIj2QSd84NKf7U3 HTTP 0 PE_XOR text/html - 0.048577 - F 4559 - 0 0 F - - - - - - - -1428603236.508634 FQ1skFv3NpoZsrrWk 91.220.163.62 192.168.122.89 C7fIlMZDuRiqjpYbb SSL 0 MD5,PE_XOR,SHA1,X509 application/pkix-cert - 0.000000 - F 448 - 0 0 F - 90a81f934e6baa2eb3109e6cfdf5ef6f ec4800be2e6c3f18c2071518740cb24d5a1e4ef3 - - - - -#close 2017-07-15-16-05-23 diff --git a/tests/Baseline/pe_xor.nuclear_ek/http.log b/tests/Baseline/pe_xor.nuclear_ek/http.log deleted file mode 100644 index 185905a..0000000 --- a/tests/Baseline/pe_xor.nuclear_ek/http.log +++ /dev/null @@ -1,14 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path http -#open 2017-07-15-16-05-23 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types -#types time string addr port addr port count string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string] -1428602839.244262 CHhAvVGS1DHFjwGM9 192.168.122.89 49227 108.61.188.200 80 1 GET ambasawild.ga /VVgGCR4KB0wL.html http://fdsvmfkldv.com/index.html?t=a933392c823b24acd8ef64e57c4dd54b 1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 0 43962 200 OK - - (empty) - - - - - - FDfOpRPqMYk61IR23 - text/html -1428602839.947316 CHhAvVGS1DHFjwGM9 192.168.122.89 49227 108.61.188.200 80 2 GET ambasawild.ga /BEFBRFZZAgFFC1MdC00JVgoNBgkLWVMJTQlbChsBDA1PUAoGFlAMBkxfVVM http://ambasawild.ga/VVgGCR4KB0wL.html 1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 0 15463 200 OK - - (empty) - - - - - - F8iRoX3bBJRy0nUlMi 4a71 application/x-shockwave-flash -1428602842.013068 ClEkJM2Vm5giqnMf4h 192.168.122.89 49246 108.61.188.200 80 1 GET ambasawild.ga /B1BdXR4MVAcIRVNTRQNEUwwHCA8JU1kLAURTAQceCAxVTwgCD0wKAQNFDB0Tf31TLVtSQEA - 1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 0 929792 200 OK - - (empty) - - - - - - FCS4r5gqymgxis4D2 4a71 - -1428602845.056636 CHhAvVGS1DHFjwGM9 192.168.122.89 49227 108.61.188.200 80 3 GET ambasawild.ga /B1BdXR4MVAcIRVNTRQNEUwwHCA8JU1kLAURTAQceCAxVTwgCD0wKAQNFDB0ib1d9FkQH - 1.1 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) 0 0 200 OK - - (empty) - - - - - - - - - -1428602876.429731 CNnMIj2QSd84NKf7U3 192.168.122.89 49267 77.72.80.9 80 1 GET myip.ru / - 1.1 default 1.2c 0 4559 200 OK - - (empty) - - - - - - FUgXmH3i54OERhzRG2 - text/html -#close 2017-07-15-16-05-23 diff --git a/tests/Baseline/pe_xor.nuclear_ek/notice.log b/tests/Baseline/pe_xor.nuclear_ek/notice.log index fde28cd..46e9d42 100644 --- a/tests/Baseline/pe_xor.nuclear_ek/notice.log +++ b/tests/Baseline/pe_xor.nuclear_ek/notice.log @@ -1,10 +1,11 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path notice -#open 2017-07-15-16-05-23 -#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude -#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double -1428602842.525435 ClEkJM2Vm5giqnMf4h 192.168.122.89 49246 108.61.188.200 80 FCS4r5gqymgxis4D2 - http://ambasawild.ga/B1BdXR4MVAcIRVNTRQNEUwwHCA8JU1kLAURTAQceCAxVTwgCD0wKAQNFDB0Tf31TLVtSQEA tcp Corelight::XOR_Encrypted_PE_File_Seen Executable file XOR encrypted with hex key 0x72464C6B4F63677079 Decrypted File ID: FYBGcJ87VHkNoFjU2 192.168.122.89 108.61.188.200 80 - bro Notice::ACTION_LOG 3600.000000 F - - - - - -#close 2017-07-15-16-05-23 +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude +#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.122.89 49246 108.61.188.200 80 FEieEe1f1SI6YJk4H5 - http://ambasawild.ga/B1BdXR4MVAcIRVNTRQNEUwwHCA8JU1kLAURTAQceCAxVTwgCD0wKAQNFDB0Tf31TLVtSQEA tcp Corelight::XOR_Encrypted_PE_File_Seen Executable file XOR encrypted with hex key 0x72464C6B4F63677079 Decrypted File ID: F2arkQ3SMRqlY6qqy8 192.168.122.89 108.61.188.200 80 - - Notice::ACTION_LOG 360XXXXXXXXXX.XXXXXX - - - - - +#close XXXX-XX-XX-XX-XX-XX diff --git a/tests/Baseline/pe_xor.nuclear_ek/pe.log b/tests/Baseline/pe_xor.nuclear_ek/pe.log deleted file mode 100644 index fe2e1e0..0000000 --- a/tests/Baseline/pe_xor.nuclear_ek/pe.log +++ /dev/null @@ -1,10 +0,0 @@ -#separator \x09 -#set_separator , -#empty_field (empty) -#unset_field - -#path pe -#open 2015-04-22-00-28-08 -#fields ts id machine compile_ts os subsystem is_exe is_64bit uses_aslr uses_dep uses_code_integrity uses_seh has_import_table has_export_table has_cert_table has_debug_data section_names -#types time string string time string string bool bool bool bool bool bool bool bool bool bool vector[string] -1428602842.525435 FYBGcJ87VHkNoFjU2 I386 1427533229.000000 Windows 95 or NT 4.0 WINDOWS_GUI T T F F F T T F F F .text, rdata,.data,.idata,.rsrc,.reloc -#close 2015-04-22-00-28-09 diff --git a/tests/Scripts/diff-remove-timestamps b/tests/Scripts/diff-remove-timestamps new file mode 100755 index 0000000..325268d --- /dev/null +++ b/tests/Scripts/diff-remove-timestamps @@ -0,0 +1,13 @@ +#! /usr/bin/env bash +# +# Replace anything which looks like timestamps with XXXs (including the #start/end markers in logs). + +# Get us "modern" regexps with sed. +if [ `uname` == "Linux" ]; then + sed="sed -r" +else + sed="sed -E" +fi + +$sed 's/(0\.000000)|([0-9]{9,10}\.[0-9]{2,8})/XXXXXXXXXX.XXXXXX/g' | \ +$sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g' diff --git a/tests/Scripts/get-bro-env b/tests/Scripts/get-bro-env deleted file mode 100755 index b568b8b..0000000 --- a/tests/Scripts/get-bro-env +++ /dev/null @@ -1,21 +0,0 @@ -#! /bin/sh -# -# BTest helper for getting values for Bro-related environment variables. - -base=`dirname $0` -bro=`cat ${base}/../../build/CMakeCache.txt | grep BRO_DIST | cut -d = -f 2` - -if [ "$1" = "brobase" ]; then - echo ${bro} -elif [ "$1" = "bropath" ]; then - ${bro}/build/bro-path-dev -elif [ "$1" = "bro_plugin_path" ]; then - ( cd ${base}/../.. && pwd ) -elif [ "$1" = "bro_seed_file" ]; then - echo ${bro}/testing/btest/random.seed -elif [ "$1" = "path" ]; then - echo ${bro}/build/src:${bro}/aux/btest:${base}/:${bro}/aux/bro-cut:$PATH -else - echo "usage: `basename $0` " >&2 - exit 1 -fi diff --git a/tests/Scripts/get-zeek-env b/tests/Scripts/get-zeek-env new file mode 100755 index 0000000..129e0fb --- /dev/null +++ b/tests/Scripts/get-zeek-env @@ -0,0 +1,36 @@ +#! /bin/sh +# +# BTest helper for getting values for Zeek-related environment variables. + +base=`dirname $0` +zeek_dist=`cat ${base}/../../build/CMakeCache.txt | grep ZEEK_DIST | cut -d = -f 2` + +if [ -n "${zeek_dist}" ]; then + if [ "$1" = "zeekpath" ]; then + ${zeek_dist}/build/zeek-path-dev + elif [ "$1" = "zeek_plugin_path" ]; then + ( cd ${base}/../.. && pwd ) + elif [ "$1" = "path" ]; then + echo ${zeek_dist}/build/src:${zeek_dist}/aux/btest:${zeek_dist}/auxil/btest:${base}/:${zeek_dist}/aux/zeek-cut:${zeek_dist}/auxil/zeek-cut:$PATH + else + echo "usage: `basename $0` " >&2 + exit 1 + fi +else + # Use Zeek installation for testing. In this case zeek-config must be in PATH. + if ! which zeek-config >/dev/null; then + echo "zeek-config not found" >&2 + exit 1 + fi + + if [ "$1" = "zeekpath" ]; then + zeek-config --zeekpath + elif [ "$1" = "zeek_plugin_path" ]; then + ( cd ${base}/../.. && pwd ) + elif [ "$1" = "path" ]; then + echo ${PATH} + else + echo "usage: `basename $0` " >&2 + exit 1 + fi +fi diff --git a/tests/btest.cfg b/tests/btest.cfg index d07bf94..892c4ce 100644 --- a/tests/btest.cfg +++ b/tests/btest.cfg @@ -6,14 +6,12 @@ IgnoreDirs = .svn CVS .tmp IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store [environment] -BROBASE=`bro-config --bro_dist` -BROPATH=`bro-config --bropath` -BRO_PLUGIN_PATH=%(testbase)s/../build:`bro-config --plugin_dir` -PATH=`%(testbase)s/Scripts/get-bro-env path` -BRO_TRACES=`bro-config --bro_dist`/testing/btest/Traces -BRO_SEED_FILE=`bro-config --bro_dist`/testing/btest/random.seed -TEST_DIFF_CANONIFIER=`bro-config --bro_dist`/testing/scripts/diff-canonifier +ZEEKPATH=`%(testbase)s/Scripts/get-zeek-env zeekpath` +ZEEK_PLUGIN_PATH=`%(testbase)s/Scripts/get-zeek-env zeek_plugin_path` +ZEEK_SEED_FILE=%(testbase)s/random.seed +PATH=`%(testbase)s/Scripts/get-zeek-env path` TZ=UTC LC_ALL=C TRACES=%(testbase)s/Traces TMPDIR=%(testbase)s/.tmp +TEST_DIFF_CANONIFIER=%(testbase)s/Scripts/diff-remove-timestamps diff --git a/tests/pe_xor/nuclear_ek.bro b/tests/pe_xor/nuclear_ek.zeek similarity index 52% rename from tests/pe_xor/nuclear_ek.bro rename to tests/pe_xor/nuclear_ek.zeek index 77a6ced..e6748f5 100644 --- a/tests/pe_xor/nuclear_ek.bro +++ b/tests/pe_xor/nuclear_ek.zeek @@ -1,10 +1,7 @@ # This tests a XOR-encoded EXE downloaded from the Nuclear Exploit Kit. # See: http://malware-traffic-analysis.net/2015/04/09/index.html -# @TEST-EXEC: bro -r $TRACES/2015-04-09-Nuclear-EK-traffic.pcap %INPUT > output -# @TEST-EXEC: btest-diff files.log -# @TEST-EXEC: btest-diff http.log -# @TEST-EXEC: btest-diff pe.log +# @TEST-EXEC: zeek -r $TRACES/2015-04-09-Nuclear-EK-traffic.pcap %INPUT > output # @TEST-EXEC: btest-diff notice.log @load Corelight/PE_XOR diff --git a/tests/pe_xor/show-plugin.bro b/tests/pe_xor/show-plugin.bro deleted file mode 100644 index fc1401a..0000000 --- a/tests/pe_xor/show-plugin.bro +++ /dev/null @@ -1,2 +0,0 @@ -# @TEST-EXEC: bro -NN Corelight::PE_XOR >output -# @TEST-EXEC: btest-diff output diff --git a/tests/pe_xor/show-plugin.zeek b/tests/pe_xor/show-plugin.zeek new file mode 100644 index 0000000..3dd2fa8 --- /dev/null +++ b/tests/pe_xor/show-plugin.zeek @@ -0,0 +1,2 @@ +# @TEST-EXEC: zeek -NN Corelight::PE_XOR >output +# @TEST-EXEC: btest-diff output diff --git a/tests/random.seed b/tests/random.seed new file mode 100644 index 0000000..6956a2c --- /dev/null +++ b/tests/random.seed @@ -0,0 +1,21 @@ +2983378351 +1299727368 +0 +310447 +0 +1409073626 +3975311262 +34130240 +1450515018 +1466150520 +1342286698 +1193956778 +2188527278 +3361989254 +3912865238 +3596260151 +517973768 +1462428821 +0 +2278350848 +32767