trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
Vagrant/resources/malcolm/zeek/config/extractor.zeek Normal file
View File

@@ -0,0 +1,47 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
@load ./extractor_params
global extractor_extract_mode = (getenv("ZEEK_EXTRACTOR_MODE") == "") ? extractor_extract_known : getenv("ZEEK_EXTRACTOR_MODE");
global extractor_max_size = (getenv("EXTRACTED_FILE_MAX_BYTES") == "") ? extractor_max_size_default : to_count(getenv("EXTRACTED_FILE_MAX_BYTES"));
redef FileExtract::prefix = (getenv("ZEEK_EXTRACTOR_PATH") == "") ? "./extract_files/" : getenv("ZEEK_EXTRACTOR_PATH");
event file_sniff(f: fa_file, meta: fa_metadata) {
# extract all files OR
if ((extractor_extract_mode == extractor_extract_all) ||
# we don't know the mime type and we always want to extract unknowns OR
((! meta?$mime_type) && extractor_always_extract_unknown) ||
# we only want to extract knowns and we know the mime type OR
((extractor_extract_mode == extractor_extract_known) && meta?$mime_type) ||
# we only want to extract mime->extension mapped files, we know the mimetype, and the mime type is mapped
((extractor_extract_mode == extractor_extract_mapped) && meta?$mime_type && (meta$mime_type in extractor_mime_to_ext_map))) {
local ext: string = "";
if (! meta?$mime_type)
ext = extractor_mime_to_ext_map["default"];
else if (meta$mime_type in extractor_mime_to_ext_map)
ext = extractor_mime_to_ext_map[meta$mime_type];
else
ext = split_string(meta$mime_type, /\//)[1];
local ftime: time = 0.0;
if (! f?$last_active)
ftime = f$last_active;
else
ftime = network_time();
local uid: string = "unknown";
if (f?$conns)
# todo this is a little hacky, figure out how to do this better
for (cid in f$conns) {
uid = f$conns[cid]$uid;
break;
}
local fname = fmt("%s-%s-%s-%s.%s", f$source, f$id, uid, strftime("%Y%m%d%H%M%S", ftime), ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname, $extract_limit=extractor_max_size]);
}
}

106
Vagrant/resources/malcolm/zeek/config/extractor_override.interesting.zeek Normal file
View File

@@ -0,0 +1,106 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
export {
redef extractor_always_extract_unknown = F;
redef extractor_mime_to_ext_map : table[string] of string = {
["application/binary"]= "bin",
["application/ecmascript"]= "es",
["application/hta"]= "hta",
["application/java-archive"]= "jar",
["application/java-serialized-object"]= "ser",
["application/java-vm"]= "class",
["application/javascript"]= "js",
["application/ms-vsi"]= "vsi",
["application/msaccess"]= "accdb",
["application/msaccess.addin"]= "accda",
["application/msaccess.cab"]= "accdc",
["application/msaccess.ftemplate"]= "accft",
["application/msaccess.runtime"]= "accdr",
["application/msaccess.webapplication"]= "accdw",
["application/msexcel"]= "xls",
["application/mspowerpoint"]= "ppt",
["application/msword"]= "doc",
["application/octet-stream"]= "bin",
["application/pdf"]= "pdf",
["application/PowerShell"]= "psc1",
["application/rtf"]= "rtf",
["application/vnd.apple.installer+xml"]= "mpkg",
["application/vnd.microsoft.portable-executable"]= "exe",
["application/vnd.ms-cab-compressed"]= "cab",
["application/vnd.ms-excel"]= "xls",
["application/vnd.ms-excel.addin.macroEnabled.12"]= "xlam",
["application/vnd.ms-excel.addin.macroenabled.12"]= "xlam",
["application/vnd.ms-excel.sheet.binary.macroEnabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.binary.macroenabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.macroEnabled.12"]= "xlsm",
["application/vnd.ms-excel.sheet.macroenabled.12"]= "xlsm",
["application/vnd.ms-excel.template.macroEnabled.12"]= "xltm",
["application/vnd.ms-excel.template.macroenabled.12"]= "xltm",
["application/vnd.ms-office.calx"]= "calx",
["application/vnd.ms-officetheme"]= "thmx",
["application/vnd.ms-powerpoint"]= "ppt",
["application/vnd.ms-powerpoint.addin.macroEnabled.12"]= "ppam",
["application/vnd.ms-powerpoint.addin.macroenabled.12"]= "ppam",
["application/vnd.ms-powerpoint.presentation.macroEnabled.12"]= "pptm",
["application/vnd.ms-powerpoint.presentation.macroenabled.12"]= "pptm",
["application/vnd.ms-powerpoint.slide.macroEnabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slide.macroenabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slideshow.macroEnabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.slideshow.macroenabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.template.macroEnabled.12"]= "potm",
["application/vnd.ms-powerpoint.template.macroenabled.12"]= "potm",
["application/vnd.ms-word.document.macroEnabled.12"]= "docm",
["application/vnd.ms-word.document.macroenabled.12"]= "docm",
["application/vnd.ms-word.template.macroEnabled.12"]= "dotm",
["application/vnd.ms-word.template.macroenabled.12"]= "dotm",
["application/vnd.openofficeorg.extension"]= "oxt",
["application/vnd.openxmlformats-officedocument.presentationml.presentation"]= "pptx",
["application/vnd.openxmlformats-officedocument.presentationml.slide"]= "sldx",
["application/vnd.openxmlformats-officedocument.presentationml.slideshow"]= "ppsx",
["application/vnd.openxmlformats-officedocument.presentationml.template"]= "potx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"]= "xlsx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.template"]= "xltx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]= "docx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.template"]= "dotx",
["application/windows-library+xml"]= "library-ms",
["application/x-7z-compressed"]= "7z",
["application/x-ace-compressed"]= "ace",
["application/x-apple-diskimage"]= "dmg",
["application/x-bzip"]= "bz",
["application/x-bzip2"]= "bz2",
["application/x-cfs-compressed"]= "cfs",
["application/x-compress"]= "z",
["application/x-compressed"]= "tgz",
["application/x-cpio"]= "cpio",
["application/x-csh"]= "csh",
["application/x-dgc-compressed"]= "dgc",
["application/x-dosexec"]= "exe",
["application/x-elf"]= "elf",
["application/x-executable"]= "exe",
["application/x-gca-compressed"]= "gca",
["application/x-gtar"]= "gtar",
["application/x-gzip"]= "gz",
["application/x-install-instructions"]= "install",
["application/x-lzh-compressed"]= "lzh",
["application/x-ms-application"]= "application",
["application/x-ms-installer"]= "msi",
["application/x-ms-shortcut"]= "lnk",
["application/x-msdos-program"]= "exe",
["application/x-msdownload"]= "exe",
["application/x-pe-app-32bit-i386"]= "exe",
["application/x-perl"]= "pl",
["application/x-python"]= "py",
["application/x-rar-compressed"]= "rar",
["application/x-sh"]= "sh",
["application/x-shockwave-flash"]= "swf",
["application/x-zip-compressed"]= "zip",
["application/zip"]= "zip",
["text/jscript"]= "jsx",
["text/rtf"]= "rtf",
["text/vbscript"]= "vbs"
} &default="dat";
}

939
Vagrant/resources/malcolm/zeek/config/extractor_params.zeek Normal file
View File

@@ -0,0 +1,939 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
export {
const extractor_extract_none = "none" &redef;
const extractor_extract_known = "known" &redef;
const extractor_extract_mapped = "mapped" &redef;
const extractor_extract_all = "all" &redef;
const extractor_always_extract_unknown = F &redef;
const extractor_max_size_default = 134217728 &redef;
# wget -qO- http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types | egrep -v ^# | awk '{ for (i=2; i<=NF; i++) {print "[\x22"$1"\x22]"" = ""\x22"$i"\x22,"}}' | sort
const extractor_mime_to_ext_map : table[string] of string = {
["application/acad"]= "dwg",
["application/andrew-inset"]= "ez",
["application/annodex"]= "anx",
["application/applixware"]= "aw",
["application/atom+xml"]= "atom",
["application/atomcat+xml"]= "atomcat",
["application/atomsvc+xml"]= "atomsvc",
["application/binary"]= "bin",
["application/ccxml+xml"]= "ccxml",
["application/cdmi-capability"]= "cdmia",
["application/cdmi-container"]= "cdmic",
["application/cdmi-domain"]= "cdmid",
["application/cdmi-object"]= "cdmio",
["application/cdmi-queue"]= "cdmiq",
["application/cu-seeme"]= "cu",
["application/davmount+xml"]= "davmount",
["application/directx"]= "x",
["application/docbook+xml"]= "dbk",
["application/dssc+der"]= "dssc",
["application/dssc+xml"]= "xdssc",
["application/ecmascript"]= "es",
["application/emma+xml"]= "emma",
["application/envoy"]= "evy",
["application/epub+zip"]= "epub",
["application/etl"]= "etl",
["application/exi"]= "exi",
["application/font-sfnt"]= "ttf",
["application/fractals"]= "fif",
["application/fsharp-script"]= "fsscript",
["application/futuresplash"]= "spl",
["application/gml+xml"]= "gml",
["application/gpx+xml"]= "gpx",
["application/gxf"]= "gxf",
["application/hta"]= "hta",
["application/hyperstudio"]= "stk",
["application/inkml+xml"]= "inkml",
["application/internet-property-stream"]= "acx",
["application/ipfix"]= "ipfix",
["application/java-archive"]= "jar",
["application/java-serialized-object"]= "ser",
["application/java-vm"]= "class",
["application/javascript"]= "js",
["application/json"]= "json",
["application/jsonml+json"]= "jsonml",
["application/liquidmotion"]= "jck",
["application/lost+xml"]= "lostxml",
["application/mac-binhex40"]= "hqx",
["application/mac-compactpro"]= "cpt",
["application/mads+xml"]= "mads",
["application/marc"]= "mrc",
["application/marcxml+xml"]= "mrcx",
["application/mathematica"]= "ma",
["application/mathml+xml"]= "mathml",
["application/mbox"]= "mbox",
["application/mediaservercontrol+xml"]= "mscml",
["application/metalink+xml"]= "metalink",
["application/metalink4+xml"]= "meta4",
["application/mets+xml"]= "mets",
["application/mods+xml"]= "mods",
["application/mp21"]= "mp21",
["application/mp4"]= "mp4s",
["application/mpeg"]= "amc",
["application/ms-vsi"]= "vsi",
["application/msaccess"]= "accdb",
["application/msaccess.addin"]= "accda",
["application/msaccess.cab"]= "accdc",
["application/msaccess.ftemplate"]= "accft",
["application/msaccess.runtime"]= "accdr",
["application/msaccess.webapplication"]= "accdw",
["application/msexcel"]= "xls",
["application/mspowerpoint"]= "ppt",
["application/msword"]= "doc",
["application/mxf"]= "mxf",
["application/octet-stream"]= "bin",
["application/oda"]= "oda",
["application/oebps-package+xml"]= "opf",
["application/ogg"]= "ogx",
["application/olescript"]= "axs",
["application/omdoc+xml"]= "omdoc",
["application/onenote"]= "one",
["application/opensearchdescription+xml"]= "osdx",
["application/oxps"]= "oxps",
["application/patch-ops-error+xml"]= "xer",
["application/pdf"]= "pdf",
["application/pgp-encrypted"]= "pgp",
["application/pgp-signature"]= "pgp",
["application/pics-rules"]= "prf",
["application/pkcs10"]= "p10",
["application/pkcs7-mime"]= "p7c",
["application/pkcs7-signature"]= "p7s",
["application/pkcs8"]= "p8",
["application/pkix-attr-cert"]= "ac",
["application/pkix-cert"]= "cer",
["application/pkix-crl"]= "crl",
["application/pkix-pkipath"]= "pkipath",
["application/pkixcmp"]= "pki",
["application/pls+xml"]= "pls",
["application/postscript"]= "ps",
["application/PowerShell"]= "psc1",
["application/prs.cww"]= "cww",
["application/pskc+xml"]= "pskcxml",
["application/rat-file"]= "rat",
["application/rdf+xml"]= "rdf",
["application/reginfo+xml"]= "rif",
["application/relax-ng-compact-syntax"]= "rnc",
["application/resource-lists+xml"]= "rl",
["application/resource-lists-diff+xml"]= "rld",
["application/rls-services+xml"]= "rs",
["application/rpki-ghostbusters"]= "gbr",
["application/rpki-manifest"]= "mft",
["application/rpki-roa"]= "roa",
["application/rsd+xml"]= "rsd",
["application/rss+xml"]= "rss",
["application/rtf"]= "rtf",
["application/sbml+xml"]= "sbml",
["application/scvp-cv-request"]= "scq",
["application/scvp-cv-response"]= "scs",
["application/scvp-vp-request"]= "spq",
["application/scvp-vp-response"]= "spp",
["application/sdp"]= "sdp",
["application/set-payment-initiation"]= "setpay",
["application/set-registration-initiation"]= "setreg",
["application/shf+xml"]= "shf",
["application/smil+xml"]= "smil",
["application/sparql-query"]= "rq",
["application/sparql-results+xml"]= "srx",
["application/srgs"]= "gram",
["application/srgs+xml"]= "grxml",
["application/sru+xml"]= "sru",
["application/ssdl+xml"]= "ssdl",
["application/ssml+xml"]= "ssml",
["application/step"]= "step",
["application/streamingmedia"]= "ssm",
["application/tei+xml"]= "tei",
["application/thraud+xml"]= "tfi",
["application/timestamped-data"]= "tsd",
["application/vnd.3gpp.pic-bw-large"]= "plb",
["application/vnd.3gpp.pic-bw-small"]= "psb",
["application/vnd.3gpp.pic-bw-var"]= "pvb",
["application/vnd.3gpp2.tcap"]= "tcap",
["application/vnd.3m.post-it-notes"]= "pwn",
["application/vnd.accpac.simply.aso"]= "aso",
["application/vnd.accpac.simply.imp"]= "imp",
["application/vnd.acucobol"]= "acu",
["application/vnd.acucorp"]= "acutc",
["application/vnd.adobe.air-application-installer-package+zip"]= "air",
["application/vnd.adobe.formscentral.fcdt"]= "fcdt",
["application/vnd.adobe.fxp"]= "fxp",
["application/vnd.adobe.xdp+xml"]= "xdp",
["application/vnd.adobe.xfdf"]= "xfdf",
["application/vnd.ahead.space"]= "ahead",
["application/vnd.airzip.filesecure.azf"]= "azf",
["application/vnd.airzip.filesecure.azs"]= "azs",
["application/vnd.amazon.ebook"]= "azw",
["application/vnd.americandynamics.acc"]= "acc",
["application/vnd.amiga.ami"]= "ami",
["application/vnd.android.package-archive"]= "apk",
["application/vnd.anser-web-certificate-issue-initiation"]= "cii",
["application/vnd.anser-web-funds-transfer-initiation"]= "fti",
["application/vnd.antix.game-component"]= "atx",
["application/vnd.apple.installer+xml"]= "mpkg",
["application/vnd.apple.mpegurl"]= "m3u8",
["application/vnd.aristanetworks.swi"]= "swi",
["application/vnd.astraea-software.iota"]= "iota",
["application/vnd.audiograph"]= "aep",
["application/vnd.blueice.multipass"]= "mpm",
["application/vnd.bmi"]= "bmi",
["application/vnd.businessobjects"]= "rep",
["application/vnd.chemdraw+xml"]= "cdxml",
["application/vnd.chipnuts.karaoke-mmd"]= "mmd",
["application/vnd.cinderella"]= "cdy",
["application/vnd.claymore"]= "cla",
["application/vnd.cloanto.rp9"]= "rp9",
["application/vnd.clonk.c4group"]= "c4g",
["application/vnd.cluetrust.cartomobile-config"]= "c11amc",
["application/vnd.cluetrust.cartomobile-config-pkg"]= "c11amz",
["application/vnd.commonspace"]= "csp",
["application/vnd.contact.cmsg"]= "cdbcmsg",
["application/vnd.cosmocaller"]= "cmc",
["application/vnd.crick.clicker"]= "clkx",
["application/vnd.crick.clicker.keyboard"]= "clkk",
["application/vnd.crick.clicker.palette"]= "clkp",
["application/vnd.crick.clicker.template"]= "clkt",
["application/vnd.crick.clicker.wordbank"]= "clkw",
["application/vnd.criticaltools.wbs+xml"]= "wbs",
["application/vnd.ctc-posml"]= "pml",
["application/vnd.cups-ppd"]= "ppd",
["application/vnd.curl.car"]= "car",
["application/vnd.curl.pcurl"]= "pcurl",
["application/vnd.dart"]= "dart",
["application/vnd.data-vision.rdz"]= "rdz",
["application/vnd.dece.data"]= "uvd",
["application/vnd.dece.ttml+xml"]= "uvt",
["application/vnd.dece.unspecified"]= "uvx",
["application/vnd.dece.zip"]= "uvz",
["application/vnd.denovo.fcselayout-link"]= "fe_launch",
["application/vnd.dna"]= "dna",
["application/vnd.dolby.mlp"]= "mlp",
["application/vnd.dpgraph"]= "dpg",
["application/vnd.dreamfactory"]= "dfac",
["application/vnd.ds-keypoint"]= "kpxx",
["application/vnd.dvb.ait"]= "ait",
["application/vnd.dvb.service"]= "svc",
["application/vnd.dynageo"]= "geo",
["application/vnd.ecowin.chart"]= "mag",
["application/vnd.enliven"]= "nml",
["application/vnd.epson.esf"]= "esf",
["application/vnd.epson.msf"]= "msf",
["application/vnd.epson.quickanime"]= "qam",
["application/vnd.epson.salt"]= "slt",
["application/vnd.epson.ssf"]= "ssf",
["application/vnd.eszigno3+xml"]= "es3",
["application/vnd.ezpix-album"]= "ez2",
["application/vnd.ezpix-package"]= "ez3",
["application/vnd.fdf"]= "fdf",
["application/vnd.fdsn.mseed"]= "mseed",
["application/vnd.fdsn.seed"]= "seed",
["application/vnd.flographit"]= "gph",
["application/vnd.fluxtime.clip"]= "ftc",
["application/vnd.framemaker"]= "fm",
["application/vnd.frogans.fnc"]= "fnc",
["application/vnd.frogans.ltf"]= "ltf",
["application/vnd.fsc.weblaunch"]= "fsc",
["application/vnd.fujitsu.oasys"]= "oas",
["application/vnd.fujitsu.oasys2"]= "oa2",
["application/vnd.fujitsu.oasys3"]= "oa3",
["application/vnd.fujitsu.oasysgp"]= "fg5",
["application/vnd.fujitsu.oasysprs"]= "bh2",
["application/vnd.fujixerox.ddd"]= "ddd",
["application/vnd.fujixerox.docuworks"]= "xdw",
["application/vnd.fujixerox.docuworks.binder"]= "xbd",
["application/vnd.fuzzysheet"]= "fzs",
["application/vnd.genomatix.tuxedo"]= "txd",
["application/vnd.geogebra.file"]= "ggb",
["application/vnd.geogebra.tool"]= "ggt",
["application/vnd.geometry-explorer"]= "gex",
["application/vnd.geonext"]= "gxt",
["application/vnd.geoplan"]= "g2w",
["application/vnd.geospace"]= "g3w",
["application/vnd.gmx"]= "gmx",
["application/vnd.google-earth.kml+xml"]= "kml",
["application/vnd.google-earth.kmz"]= "kmz",
["application/vnd.grafeq"]= "gqf",
["application/vnd.groove-account"]= "gac",
["application/vnd.groove-help"]= "ghf",
["application/vnd.groove-identity-message"]= "gim",
["application/vnd.groove-injector"]= "grv",
["application/vnd.groove-tool-message"]= "gtm",
["application/vnd.groove-tool-template"]= "tpl",
["application/vnd.groove-vcard"]= "vcg",
["application/vnd.hal+xml"]= "hal",
["application/vnd.handheld-entertainment+xml"]= "zmm",
["application/vnd.hbci"]= "hbci",
["application/vnd.hhe.lesson-player"]= "les",
["application/vnd.hp-hpgl"]= "hpgl",
["application/vnd.hp-hpid"]= "hpid",
["application/vnd.hp-hps"]= "hps",
["application/vnd.hp-jlyt"]= "jlt",
["application/vnd.hp-pcl"]= "pcl",
["application/vnd.hp-pclxl"]= "pclxl",
["application/vnd.hydrostatix.sof-data"]= "sfd-hdstx",
["application/vnd.ibm.minipay"]= "mpy",
["application/vnd.ibm.modcap"]= "afp",
["application/vnd.ibm.rights-management"]= "irm",
["application/vnd.ibm.secure-container"]= "sc",
["application/vnd.iccprofile"]= "icc",
["application/vnd.igloader"]= "igl",
["application/vnd.immervision-ivp"]= "ivp",
["application/vnd.immervision-ivu"]= "ivu",
["application/vnd.insors.igm"]= "igm",
["application/vnd.intercon.formnet"]= "xpw",
["application/vnd.intergeo"]= "i2g",
["application/vnd.intu.qbo"]= "qbo",
["application/vnd.intu.qfx"]= "qfx",
["application/vnd.ipunplugged.rcprofile"]= "rcprofile",
["application/vnd.irepository.package+xml"]= "irp",
["application/vnd.is-xpr"]= "xpr",
["application/vnd.isac.fcs"]= "fcs",
["application/vnd.jam"]= "jam",
["application/vnd.jcp.javame.midlet-rms"]= "rms",
["application/vnd.jisp"]= "jisp",
["application/vnd.joost.joda-archive"]= "joda",
["application/vnd.kahootz"]= "ktz",
["application/vnd.kde.karbon"]= "karbon",
["application/vnd.kde.kchart"]= "chrt",
["application/vnd.kde.kformula"]= "kfo",
["application/vnd.kde.kivio"]= "flw",
["application/vnd.kde.kontour"]= "kon",
["application/vnd.kde.kpresenter"]= "kpt",
["application/vnd.kde.kspread"]= "ksp",
["application/vnd.kde.kword"]= "kwd",
["application/vnd.kenameaapp"]= "htke",
["application/vnd.kidspiration"]= "kia",
["application/vnd.kinar"]= "kne",
["application/vnd.koan"]= "skd",
["application/vnd.kodak-descriptor"]= "sse",
["application/vnd.las.las+xml"]= "lasxml",
["application/vnd.llamagraphics.life-balance.desktop"]= "lbd",
["application/vnd.llamagraphics.life-balance.exchange+xml"]= "lbe",
["application/vnd.lotus-1-2-3"]= "123",
["application/vnd.lotus-approach"]= "apr",
["application/vnd.lotus-freelance"]= "pre",
["application/vnd.lotus-notes"]= "nsf",
["application/vnd.lotus-organizer"]= "org",
["application/vnd.lotus-screencam"]= "scm",
["application/vnd.lotus-wordpro"]= "lwp",
["application/vnd.macports.portpkg"]= "portpkg",
["application/vnd.mcd"]= "mcd",
["application/vnd.medcalcdata"]= "mc1",
["application/vnd.mediastation.cdkey"]= "cdkey",
["application/vnd.mfer"]= "mwf",
["application/vnd.mfmp"]= "mfm",
["application/vnd.micrografx.flo"]= "flo",
["application/vnd.micrografx.igx"]= "igx",
["application/vnd.microsoft.portable-executable"]= "exe",
["application/vnd.mif"]= "mif",
["application/vnd.mobius.daf"]= "daf",
["application/vnd.mobius.dis"]= "dis",
["application/vnd.mobius.mbk"]= "mbk",
["application/vnd.mobius.mqy"]= "mqy",
["application/vnd.mobius.msl"]= "msl",
["application/vnd.mobius.plc"]= "plc",
["application/vnd.mobius.txf"]= "txf",
["application/vnd.mophun.application"]= "mpn",
["application/vnd.mophun.certificate"]= "mpc",
["application/vnd.mozilla.xul+xml"]= "xul",
["application/vnd.ms-artgalry"]= "cil",
["application/vnd.ms-cab-compressed"]= "cab",
["application/vnd.ms-excel"]= "xls",
["application/vnd.ms-excel.addin.macroEnabled.12"]= "xlam",
["application/vnd.ms-excel.addin.macroenabled.12"]= "xlam",
["application/vnd.ms-excel.sheet.binary.macroEnabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.binary.macroenabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.macroEnabled.12"]= "xlsm",
["application/vnd.ms-excel.sheet.macroenabled.12"]= "xlsm",
["application/vnd.ms-excel.template.macroEnabled.12"]= "xltm",
["application/vnd.ms-excel.template.macroenabled.12"]= "xltm",
["application/vnd.ms-fontobject"]= "eot",
["application/vnd.ms-htmlhelp"]= "chm",
["application/vnd.ms-ims"]= "ims",
["application/vnd.ms-lrm"]= "lrm",
["application/vnd.ms-mediapackage"]= "mpf",
["application/vnd.ms-office.calx"]= "calx",
["application/vnd.ms-officetheme"]= "thmx",
["application/vnd.ms-outlook"]= "msg",
["application/vnd.ms-pki.certstore"]= "sst",
["application/vnd.ms-pki.pko"]= "pko",
["application/vnd.ms-pki.seccat"]= "cat",
["application/vnd.ms-pki.stl"]= "stl",
["application/vnd.ms-powerpoint"]= "ppt",
["application/vnd.ms-powerpoint.addin.macroEnabled.12"]= "ppam",
["application/vnd.ms-powerpoint.addin.macroenabled.12"]= "ppam",
["application/vnd.ms-powerpoint.presentation.macroEnabled.12"]= "pptm",
["application/vnd.ms-powerpoint.presentation.macroenabled.12"]= "pptm",
["application/vnd.ms-powerpoint.slide.macroEnabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slide.macroenabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slideshow.macroEnabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.slideshow.macroenabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.template.macroEnabled.12"]= "potm",
["application/vnd.ms-powerpoint.template.macroenabled.12"]= "potm",
["application/vnd.ms-project"]= "mpt",
["application/vnd.ms-visio.viewer"]= "vdx",
["application/vnd.ms-word.document.macroEnabled.12"]= "docm",
["application/vnd.ms-word.document.macroenabled.12"]= "docm",
["application/vnd.ms-word.template.macroEnabled.12"]= "dotm",
["application/vnd.ms-word.template.macroenabled.12"]= "dotm",
["application/vnd.ms-works"]= "wks",
["application/vnd.ms-wpl"]= "wpl",
["application/vnd.ms-xpsdocument"]= "xps",
["application/vnd.mseq"]= "mseq",
["application/vnd.musician"]= "mus",
["application/vnd.muvee.style"]= "msty",
["application/vnd.mynfc"]= "taglet",
["application/vnd.neurolanguage.nlu"]= "nlu",
["application/vnd.nitf"]= "nitf",
["application/vnd.noblenet-directory"]= "nnd",
["application/vnd.noblenet-sealer"]= "nns",
["application/vnd.noblenet-web"]= "nnw",
["application/vnd.nokia.n-gage.data"]= "ngdat",
["application/vnd.nokia.n-gage.symbian.install"]= "n-gage",
["application/vnd.nokia.radio-preset"]= "rpst",
["application/vnd.nokia.radio-presets"]= "rpss",
["application/vnd.novadigm.edm"]= "edm",
["application/vnd.novadigm.edx"]= "edx",
["application/vnd.novadigm.ext"]= "ext",
["application/vnd.oasis.opendocument.chart"]= "odc",
["application/vnd.oasis.opendocument.chart-template"]= "otc",
["application/vnd.oasis.opendocument.database"]= "odb",
["application/vnd.oasis.opendocument.formula"]= "odf",
["application/vnd.oasis.opendocument.formula-template"]= "odft",
["application/vnd.oasis.opendocument.graphics"]= "odg",
["application/vnd.oasis.opendocument.graphics-template"]= "otg",
["application/vnd.oasis.opendocument.image"]= "odi",
["application/vnd.oasis.opendocument.image-template"]= "oti",
["application/vnd.oasis.opendocument.presentation"]= "odp",
["application/vnd.oasis.opendocument.presentation-template"]= "otp",
["application/vnd.oasis.opendocument.spreadsheet"]= "ods",
["application/vnd.oasis.opendocument.spreadsheet-template"]= "ots",
["application/vnd.oasis.opendocument.text"]= "odt",
["application/vnd.oasis.opendocument.text-master"]= "odm",
["application/vnd.oasis.opendocument.text-template"]= "ott",
["application/vnd.oasis.opendocument.text-web"]= "oth",
["application/vnd.olpc-sugar"]= "xo",
["application/vnd.oma.dd2+xml"]= "dd2",
["application/vnd.openofficeorg.extension"]= "oxt",
["application/vnd.openxmlformats-officedocument.presentationml.presentation"]= "pptx",
["application/vnd.openxmlformats-officedocument.presentationml.slide"]= "sldx",
["application/vnd.openxmlformats-officedocument.presentationml.slideshow"]= "ppsx",
["application/vnd.openxmlformats-officedocument.presentationml.template"]= "potx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"]= "xlsx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.template"]= "xltx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]= "docx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.template"]= "dotx",
["application/vnd.osgeo.mapguide.package"]= "mgp",
["application/vnd.osgi.dp"]= "dp",
["application/vnd.osgi.subsystem"]= "esa",
["application/vnd.palm"]= "pdb",
["application/vnd.pawaafile"]= "paw",
["application/vnd.pg.format"]= "str",
["application/vnd.pg.osasli"]= "ei6",
["application/vnd.picsel"]= "efif",
["application/vnd.pmi.widget"]= "wg",
["application/vnd.pocketlearn"]= "plf",
["application/vnd.powerbuilder6"]= "pbd",
["application/vnd.previewsystems.box"]= "box",
["application/vnd.proteus.magazine"]= "mgz",
["application/vnd.publishare-delta-tree"]= "qps",
["application/vnd.pvi.ptid1"]= "ptid",
["application/vnd.quark.quarkxpress"]= "qxt",
["application/vnd.realvnc.bed"]= "bed",
["application/vnd.recordare.musicxml"]= "mxl",
["application/vnd.recordare.musicxml+xml"]= "musicxml",
["application/vnd.rig.cryptonote"]= "cryptonote",
["application/vnd.rim.cod"]= "cod",
["application/vnd.rn-realmedia"]= "rm",
["application/vnd.rn-realmedia-vbr"]= "rmvb",
["application/vnd.rn-rn_music_package"]= "rmp",
["application/vnd.route66.link66+xml"]= "link66",
["application/vnd.sailingtracker.track"]= "st",
["application/vnd.seemail"]= "see",
["application/vnd.sema"]= "sema",
["application/vnd.semd"]= "semd",
["application/vnd.semf"]= "semf",
["application/vnd.shana.informed.formdata"]= "ifm",
["application/vnd.shana.informed.formtemplate"]= "itp",
["application/vnd.shana.informed.interchange"]= "iif",
["application/vnd.shana.informed.package"]= "ipk",
["application/vnd.simtech-mindmapper"]= "twd",
["application/vnd.smaf"]= "mmf",
["application/vnd.smart.teacher"]= "teacher",
["application/vnd.solent.sdkm+xml"]= "sdkm",
["application/vnd.spotfire.dxp"]= "dxp",
["application/vnd.spotfire.sfs"]= "sfs",
["application/vnd.stardivision.calc"]= "sdc",
["application/vnd.stardivision.draw"]= "sda",
["application/vnd.stardivision.impress"]= "sdd",
["application/vnd.stardivision.math"]= "smf",
["application/vnd.stardivision.writer"]= "sdw",
["application/vnd.stardivision.writer-global"]= "sgl",
["application/vnd.stepmania.package"]= "smzip",
["application/vnd.stepmania.stepchart"]= "sm",
["application/vnd.sun.xml.calc"]= "sxc",
["application/vnd.sun.xml.calc.template"]= "stc",
["application/vnd.sun.xml.draw"]= "sxd",
["application/vnd.sun.xml.draw.template"]= "std",
["application/vnd.sun.xml.impress"]= "sxi",
["application/vnd.sun.xml.impress.template"]= "sti",
["application/vnd.sun.xml.math"]= "sxm",
["application/vnd.sun.xml.writer"]= "sxw",
["application/vnd.sun.xml.writer.global"]= "sxg",
["application/vnd.sun.xml.writer.template"]= "stw",
["application/vnd.sus-calendar"]= "sus",
["application/vnd.svd"]= "svd",
["application/vnd.symbian.install"]= "sis",
["application/vnd.syncml+xml"]= "xsm",
["application/vnd.syncml.dm+wbxml"]= "bdm",
["application/vnd.syncml.dm+xml"]= "xdm",
["application/vnd.tao.intent-module-archive"]= "tao",
["application/vnd.tcpdump.pcap"]= "pcap",
["application/vnd.tmobile-livetv"]= "tmo",
["application/vnd.trid.tpt"]= "tpt",
["application/vnd.triscape.mxs"]= "mxs",
["application/vnd.trueapp"]= "tra",
["application/vnd.ufdl"]= "ufdl",
["application/vnd.uiq.theme"]= "utz",
["application/vnd.umajin"]= "umj",
["application/vnd.unity"]= "unityweb",
["application/vnd.uoml+xml"]= "uoml",
["application/vnd.vcx"]= "vcx",
["application/vnd.visio"]= "vsd",
["application/vnd.visionary"]= "vis",
["application/vnd.vsf"]= "vsf",
["application/vnd.wap.wbxml"]= "wbxml",
["application/vnd.wap.wmlc"]= "wmlc",
["application/vnd.wap.wmlscriptc"]= "wmlsc",
["application/vnd.webturbo"]= "wtb",
["application/vnd.wolfram.player"]= "nbp",
["application/vnd.wordperfect"]= "wpd",
["application/vnd.wqd"]= "wqd",
["application/vnd.wt.stf"]= "stf",
["application/vnd.xara"]= "xar",
["application/vnd.xfdl"]= "xfdl",
["application/vnd.yamaha.hv-dic"]= "hvd",
["application/vnd.yamaha.hv-script"]= "hvs",
["application/vnd.yamaha.hv-voice"]= "hvp",
["application/vnd.yamaha.openscoreformat"]= "osf",
["application/vnd.yamaha.openscoreformat.osfpvg+xml"]= "osfpvg",
["application/vnd.yamaha.smaf-audio"]= "saf",
["application/vnd.yamaha.smaf-phrase"]= "spf",
["application/vnd.yellowriver-custom-menu"]= "cmp",
["application/vnd.zul"]= "zir",
["application/vnd.zzazz.deck+xml"]= "zaz",
["application/voicexml+xml"]= "vxml",
["application/vsix"]= "vsix",
["application/wasm"]= "wasm",
["application/widget"]= "wgt",
["application/windows-library+xml"]= "library-ms",
["application/windows-search-connector+xml"]= "searchConnector-ms",
["application/winhlp"]= "hlp",
["application/wlmoviemaker"]= "WLMP",
["application/wsdl+xml"]= "wsdl",
["application/wspolicy+xml"]= "wspolicy",
["application/x-7z-compressed"]= "7z",
["application/x-abiword"]= "abw",
["application/x-ace-compressed"]= "ace",
["application/x-apple-diskimage"]= "dmg",
["application/x-authorware-bin"]= "aab",
["application/x-authorware-map"]= "aam",
["application/x-authorware-seg"]= "aas",
["application/x-bcpio"]= "bcpio",
["application/x-bittorrent"]= "torrent",
["application/x-blorb"]= "blorb",
["application/x-bridge-url"]= "adobebridge",
["application/x-bzip"]= "bz",
["application/x-bzip2"]= "bz2",
["application/x-cbr"]= "cbr",
["application/x-cdlink"]= "vcd",
["application/x-cfs-compressed"]= "cfs",
["application/x-chat"]= "chat",
["application/x-chess-pgn"]= "pgn",
["application/x-compress"]= "z",
["application/x-compressed"]= "tgz",
["application/x-conference"]= "nsc",
["application/x-cpio"]= "cpio",
["application/x-csh"]= "csh",
["application/x-debian-package"]= "deb",
["application/x-dgc-compressed"]= "dgc",
["application/x-director"]= "dir",
["application/x-doom"]= "wad",
["application/x-dosexec"]= "exe",
["application/x-dtbncx+xml"]= "ncx",
["application/x-dtbook+xml"]= "dtb",
["application/x-dtbresource+xml"]= "res",
["application/x-dvi"]= "dvi",
["application/x-dxf"]= "dxf",
["application/x-elf"]= "elf",
["application/x-envoy"]= "evy",
["application/x-eva"]= "eva",
["application/x-executable"]= "exe",
["application/x-font-bdf"]= "bdf",
["application/x-font-ghostscript"]= "gsf",
["application/x-font-linux-psf"]= "psf",
["application/x-font-pcf"]= "pcf",
["application/x-font-snf"]= "snf",
["application/x-font-type1"]= "pfm",
["application/x-freearc"]= "arc",
["application/x-futuresplash"]= "spl",
["application/x-gca-compressed"]= "gca",
["application/x-glulx"]= "ulx",
["application/x-gnumeric"]= "gnumeric",
["application/x-gramps-xml"]= "gramps",
["application/x-gtar"]= "gtar",
["application/x-gzip"]= "gz",
["application/x-hdf"]= "hdf",
["application/x-install-instructions"]= "install",
["application/x-internet-signup"]= "isp",
["application/x-iphone"]= "iii",
["application/x-iso9660-image"]= "iso",
["application/x-itunes-ipa"]= "ipa",
["application/x-itunes-ipg"]= "ipg",
["application/x-itunes-ipsw"]= "ipsw",
["application/x-itunes-ite"]= "ite",
["application/x-itunes-itlp"]= "itlp",
["application/x-itunes-itms"]= "itms",
["application/x-itunes-itpc"]= "itpc",
["application/x-java-applet"]= "class",
["application/x-java-jnlp-file"]= "jnlp",
["application/x-koan"]= "skp",
["application/x-latex"]= "latex",
["application/x-lzh-compressed"]= "lzh",
["application/x-mie"]= "mie",
["application/x-miva-compiled"]= "mvc",
["application/x-mmxp"]= "mxp",
["application/x-mobipocket-ebook"]= "mobi",
["application/x-ms-application"]= "application",
["application/x-ms-installer"]= "msi",
["application/x-ms-license"]= "slupkg-ms",
["application/x-ms-manifest"]= "manifest",
["application/x-ms-reader"]= "lit",
["application/x-ms-shortcut"]= "lnk",
["application/x-ms-vsto"]= "vsto",
["application/x-ms-wmd"]= "wmd",
["application/x-ms-wmz"]= "wmz",
["application/x-ms-xbap"]= "xbap",
["application/x-msaccess"]= "mdb",
["application/x-msbinder"]= "obd",
["application/x-mscardfile"]= "crd",
["application/x-msclip"]= "clp",
["application/x-msdos-program"]= "exe",
["application/x-msdownload"]= "exe",
["application/x-msmediaview"]= "mvb",
["application/x-msmetafile"]= "wmf",
["application/x-msmoney"]= "mny",
["application/x-mspublisher"]= "pub",
["application/x-msschedule"]= "scd",
["application/x-msterminal"]= "trm",
["application/x-mswrite"]= "wri",
["application/x-netcdf"]= "cdf",
["application/x-nzb"]= "nzb",
["application/x-oleobject"]= "hhc",
["application/x-pcapng"]= "pcap",
["application/x-pe-app-32bit-i386"]= "exe",
["application/x-perfmon"]= "pmw",
["application/x-perl"]= "pl",
["application/x-pkcs12"]= "p12",
["application/x-pkcs7-certificates"]= "p7b",
["application/x-pkcs7-certreqresp"]= "p7r",
["application/x-podcast"]= "pcast",
["application/x-python"]= "py",
["application/x-quicktimeplayer"]= "qtl",
["application/x-rar-compressed"]= "rar",
["application/x-research-info-systems"]= "ris",
["application/x-safari-safariextz"]= "safariextz",
["application/x-safari-webarchive"]= "webarchive",
["application/x-sgimb"]= "sgimb",
["application/x-sh"]= "sh",
["application/x-shar"]= "shar",
["application/x-sharedlib"]= "lib",
["application/x-shockwave-flash"]= "swf",
["application/x-silverlight-app"]= "xap",
["application/x-smaf"]= "mmf",
["application/x-sql"]= "sql",
["application/x-stuffit"]= "sit",
["application/x-stuffitx"]= "sitx",
["application/x-subrip"]= "srt",
["application/x-sv4cpio"]= "sv4cpio",
["application/x-sv4crc"]= "sv4crc",
["application/x-t3vm-image"]= "t3",
["application/x-tads"]= "gam",
["application/x-tar"]= "tar",
["application/x-tcl"]= "tcl",
["application/x-tex"]= "tex",
["application/x-tex-tfm"]= "tfm",
["application/x-texinfo"]= "texinfo",
["application/x-tgif"]= "obj",
["application/x-troff"]= "tr",
["application/x-troff-man"]= "man",
["application/x-troff-me"]= "me",
["application/x-troff-ms"]= "ms",
["application/x-ustar"]= "ustar",
["application/x-wais-source"]= "src",
["application/x-wlpg-detect"]= "wlpginstall",
["application/x-wlpg3-detect"]= "wlpginstall3",
["application/x-x509-ca-cert"]= "crt",
["application/x-xfig"]= "fig",
["application/x-xliff+xml"]= "xlf",
["application/x-xpinstall"]= "xpi",
["application/x-xz"]= "xz",
["application/x-zip-compressed"]= "zip",
["application/x-zmachine"]= "z1",
["application/xaml+xml"]= "xaml",
["application/xcap-diff+xml"]= "xdf",
["application/xenc+xml"]= "xenc",
["application/xhtml+xml"]= "xhtml",
["application/xml"]= "xml",
["application/xml-dtd"]= "dtd",
["application/xop+xml"]= "xop",
["application/xproc+xml"]= "xpl",
["application/xslt+xml"]= "xslt",
["application/xspf+xml"]= "xspf",
["application/xv+xml"]= "xvml",
["application/yang"]= "yang",
["application/yin+xml"]= "yin",
["application/zip"]= "zip",
["audio/aac"]= "aac",
["audio/ac3"]= "ac3",
["audio/adpcm"]= "adp",
["audio/aiff"]= "aiff",
["audio/annodex"]= "axa",
["audio/audible"]= "aa",
["audio/basic"]= "au",
["audio/flac"]= "flac",
["audio/m4a"]= "m4a",
["audio/m4b"]= "m4b",
["audio/m4p"]= "m4p",
["audio/mid"]= "midi",
["audio/midi"]= "midi",
["audio/mp4"]= "m4a",
["audio/mpeg"]= "mp3",
["audio/ogg"]= "ogg",
["audio/s3m"]= "s3m",
["audio/scpls"]= "pls",
["audio/silk"]= "sil",
["audio/vnd.audible.aax"]= "aax",
["audio/vnd.dece.audio"]= "uva",
["audio/vnd.digital-winds"]= "eol",
["audio/vnd.dlna.adts"]= "ADT",
["audio/vnd.dra"]= "dra",
["audio/vnd.dts"]= "dts",
["audio/vnd.dts.hd"]= "dtshd",
["audio/vnd.lucent.voice"]= "lvp",
["audio/vnd.ms-playready.media.pya"]= "pya",
["audio/vnd.nuera.ecelp4800"]= "ecelp4800",
["audio/vnd.nuera.ecelp7470"]= "ecelp7470",
["audio/vnd.nuera.ecelp9600"]= "ecelp9600",
["audio/vnd.rip"]= "rip",
["audio/wav"]= "wav",
["audio/webm"]= "weba",
["audio/x-aac"]= "aac",
["audio/x-aiff"]= "aiff",
["audio/x-caf"]= "caf",
["audio/x-flac"]= "flac",
["audio/x-gsm"]= "gsm",
["audio/x-m4a"]= "m4a",
["audio/x-m4r"]= "m4r",
["audio/x-matroska"]= "mka",
["audio/x-mpegurl"]= "m3u",
["audio/x-ms-wax"]= "wax",
["audio/x-ms-wma"]= "wma",
["audio/x-pn-realaudio"]= "ra",
["audio/x-pn-realaudio-plugin"]= "rmp",
["audio/x-sd2"]= "sd2",
["audio/x-smd"]= "smd",
["audio/x-wav"]= "wav",
["audio/xm"]= "xm",
["chemical/x-cdx"]= "cdx",
["chemical/x-cif"]= "cif",
["chemical/x-cmdf"]= "cmdf",
["chemical/x-cml"]= "cml",
["chemical/x-csml"]= "csml",
["chemical/x-xyz"]= "xyz",
["drawing/x-dwf"]= "dwf",
["font/collection"]= "ttc",
["font/otf"]= "otf",
["font/ttf"]= "ttf",
["font/woff"]= "woff",
["font/woff2"]= "woff2",
["image/bmp"]= "bmp",
["image/cgm"]= "cgm",
["image/cis-cod"]= "cod",
["image/g3fax"]= "g3",
["image/gif"]= "gif",
["image/ief"]= "ief",
["image/jpeg"]= "jpg",
["image/ktx"]= "ktx",
["image/pict"]= "pict",
["image/pjpeg"]= "jfif",
["image/png"]= "png",
["image/prs.btif"]= "btif",
["image/sgi"]= "sgi",
["image/svg+xml"]= "svg",
["image/tiff"]= "tiff",
["image/vnd.adobe.photoshop"]= "psd",
["image/vnd.dece.graphic"]= "uvg",
["image/vnd.djvu"]= "djvu",
["image/vnd.dvb.subtitle"]= "sub",
["image/vnd.dwg"]= "dwg",
["image/vnd.dxf"]= "dxf",
["image/vnd.fastbidsheet"]= "fbs",
["image/vnd.fpx"]= "fpx",
["image/vnd.fst"]= "fst",
["image/vnd.fujixerox.edmics-mmr"]= "mmr",
["image/vnd.fujixerox.edmics-rlc"]= "rlc",
["image/vnd.ms-modi"]= "mdi",
["image/vnd.ms-photo"]= "wdp",
["image/vnd.net-fpx"]= "npx",
["image/vnd.rn-realflash"]= "rf",
["image/vnd.wap.wbmp"]= "wbmp",
["image/vnd.xiff"]= "xif",
["image/webp"]= "webp",
["image/x-3ds"]= "3ds",
["image/x-cmu-raster"]= "ras",
["image/x-cmx"]= "cmx",
["image/x-freehand"]= "fh",
["image/x-gif"]= "gif",
["image/x-icon"]= "ico",
["image/x-jg"]= "art",
["image/x-jpeg"]= "jpg",
["image/x-macpaint"]= "mac",
["image/x-mrsid-image"]= "sid",
["image/x-pcx"]= "pcx",
["image/x-pict"]= "pic",
["image/x-png"]= "png",
["image/x-portable-anymap"]= "pnm",
["image/x-portable-bitmap"]= "pbm",
["image/x-portable-graymap"]= "pgm",
["image/x-portable-pixmap"]= "ppm",
["image/x-quicktime"]= "qti",
["image/x-rgb"]= "rgb",
["image/x-tga"]= "tga",
["image/x-xbitmap"]= "xbm",
["image/x-xpixmap"]= "xpm",
["image/x-xwindowdump"]= "xwd",
["message/rfc822"]= "eml",
["model/iges"]= "iges",
["model/mesh"]= "mesh",
["model/vnd.collada+xml"]= "dae",
["model/vnd.dwf"]= "dwf",
["model/vnd.gdl"]= "gdl",
["model/vnd.gtw"]= "gtw",
["model/vnd.mts"]= "mts",
["model/vnd.vtu"]= "vtu",
["model/vrml"]= "vrml",
["model/x3d+binary"]= "x3db",
["model/x3d+vrml"]= "x3dv",
["model/x3d+xml"]= "x3d",
["text/cache-manifest"]= "appcache",
["text/calendar"]= "ics",
["text/css"]= "css",
["text/csv"]= "csv",
["text/dlm"]= "dlm",
["text/h323"]= "323",
["text/html"]= "html",
["text/iuls"]= "uls",
["text/jscript"]= "jsx",
["text/n3"]= "n3",
["text/plain"]= "txt",
["text/prs.lines.tag"]= "dsc",
["text/richtext"]= "rtx",
["text/rtf"]= "rtf",
["text/scriptlet"]= "sct",
["text/sgml"]= "sgml",
["text/tab-separated-values"]= "tsv",
["text/troff"]= "tr",
["text/uri-list"]= "uri",
["text/vbscript"]= "vbs",
["text/vcard"]= "vcard",
["text/vnd.curl"]= "curl",
["text/vnd.curl.dcurl"]= "dcurl",
["text/vnd.curl.mcurl"]= "mcurl",
["text/vnd.curl.scurl"]= "scurl",
["text/vnd.dvb.subtitle"]= "sub",
["text/vnd.fly"]= "fly",
["text/vnd.fmi.flexstor"]= "flx",
["text/vnd.graphviz"]= "gv",
["text/vnd.in3d.3dml"]= "3dml",
["text/vnd.in3d.spot"]= "spot",
["text/vnd.sun.j2me.app-descriptor"]= "jad",
["text/vnd.wap.wml"]= "wml",
["text/vnd.wap.wmlscript"]= "wmls",
["text/vtt"]= "vtt",
["text/webviewhtml"]= "htt",
["text/x-asm"]= "asm",
["text/x-c"]= "c",
["text/x-component"]= "htc",
["text/x-fortran"]= "f",
["text/x-hdml"]= "hdml",
["text/x-html-insertion"]= "qhtm",
["text/x-java-source"]= "java",
["text/x-ms-contact"]= "contact",
["text/x-ms-group"]= "group",
["text/x-ms-iqy"]= "iqy",
["text/x-ms-rqy"]= "rqy",
["text/x-nfo"]= "nfo",
["text/x-opml"]= "opml",
["text/x-pascal"]= "pas",
["text/x-setext"]= "etx",
["text/x-sfv"]= "sfv",
["text/x-uuencode"]= "uu",
["text/x-vcalendar"]= "vcs",
["text/x-vcard"]= "vcf",
["text/xml"]= "xml",
["video/3gpp"]= "3gp",
["video/3gpp2"]= "3g2",
["video/annodex"]= "axv",
["video/divx"]= "divx",
["video/h261"]= "h261",
["video/h263"]= "h263",
["video/h264"]= "h264",
["video/jpeg"]= "jpgv",
["video/jpm"]= "jpm",
["video/mj2"]= "mj2",
["video/mp4"]= "mp4",
["video/mpeg"]= "mpg",
["video/ogg"]= "ogv",
["video/quicktime"]= "mov",
["video/vnd.dece.hd"]= "uvh",
["video/vnd.dece.mobile"]= "uvm",
["video/vnd.dece.pd"]= "uvp",
["video/vnd.dece.sd"]= "uvs",
["video/vnd.dece.video"]= "uvv",
["video/vnd.dlna.mpeg-tts"]= "m2t",
["video/vnd.dvb.file"]= "dvb",
["video/vnd.fvt"]= "fvt",
["video/vnd.mpegurl"]= "m4u",
["video/vnd.ms-playready.media.pyv"]= "pyv",
["video/vnd.uvvu.mp4"]= "uvu",
["video/vnd.vivo"]= "viv",
["video/webm"]= "webm",
["video/x-dv"]= "dv",
["video/x-f4v"]= "f4v",
["video/x-fli"]= "fli",
["video/x-flv"]= "flv",
["video/x-ivf"]= "IVF",
["video/x-la-asf"]= "lsf",
["video/x-m4v"]= "m4v",
["video/x-matroska"]= "mkv",
["video/x-matroska-3d"]= "mk3d",
["video/x-mng"]= "mng",
["video/x-ms-asf"]= "asf",
["video/x-ms-vob"]= "vob",
["video/x-ms-wm"]= "wm",
["video/x-ms-wmp"]= "wmp",
["video/x-ms-wmv"]= "wmv",
["video/x-ms-wmx"]= "wmx",
["video/x-ms-wvx"]= "wvx",
["video/x-msvideo"]= "avi",
["video/x-sgi-movie"]= "movie",
["video/x-smv"]= "smv",
["x-conference/x-cooltalk"]= "ice",
["x-world/x-vrml"]= "wrl"
} &default="bin" &redef;
}

123
Vagrant/resources/malcolm/zeek/config/guess.zeek Normal file
View File

@@ -0,0 +1,123 @@
module Best_Guess;
# given an input map file with the following format:
# proto dport sport name category
# (see https://docs.zeek.org/en/master/frameworks/input.html#reading-data-into-tables
# for details on how the table is loaded),
# load up the table on zeek_init and for each connection_state_remove
# make a "best guess" of protocols based on proto+dport+sport.
# Best guesses are written to bestguess according to Best_Guess::Info
# Table key is transport protocol + destination port + source port
# Zeek will segfault if there is an unset value ('-') in the key,
# so use unknown_transport and 0 for protocol and ports, respectively,
# if they are not defined in the lookup.
type Best_Guess_Key: record {
proto: transport_proto &optional;
dport: count &optional;
sport: count &optional;
};
# Other table values include name, category.
type Best_Guess_Value: record {
name: string &optional;
category: string &optional;
};
export {
redef enum Log::ID += { BEST_GUESS_LOG };
#############################################################################
# This is the format of bestguess.log
type Info: record {
# Timestamp for when the event happened.
ts: time &log;
# Unique ID for the connection.
uid: string &log;
# The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
# transport protocol
proto: transport_proto &log &optional;
# protocol guess values for log
name: string &log &optional;
category: string &log &optional;
# originating structure containing guess info
guess_info: Best_Guess_Value &optional;
};
# Event that can be handled to access the record as it is sent on to the logging framework.
global log_best_guess: event(rec: Best_Guess::Info);
}
# lookup table of Best_Guess_Key -> Best_Guess_Value to be loaded in zeek_init
global proto_guesses: table[transport_proto, count, count] of Best_Guess_Value = table();
# filespec containing best guess mappings
global guest_map_filespec : string = @DIR + "/guess_ics_map.txt";
#############################################################################
event zeek_init() &priority=5 {
# populate the lookup table from guest_map_filespec and then clean up the intermediate source
Input::add_table([$source=guest_map_filespec, $name="guess_ics_map",
$idx=Best_Guess_Key, $val=Best_Guess_Value,
$destination=proto_guesses, $want_record=T]);
Input::remove("guess_ics_map");
# initialize bestguess.log
Log::create_stream(Best_Guess::BEST_GUESS_LOG, [$columns=Best_Guess::Info, $ev=log_best_guess, $path="bestguess"]);
}
#############################################################################
event connection_state_remove(c: connection) {
local p = get_port_transport_proto(c$id$resp_p);
local dp = port_to_count(c$id$resp_p);
local sp = port_to_count(c$id$orig_p);
local guess = Best_Guess_Value($name="");
local category: string = "";
# 1. only check connections for which we don't already know "service"
# 2. skip ICMP, since dp and sp don't mean the same thing for ICMP
if (((!c?$service) || (|c$service| == 0)) && (p != icmp)) {
# Look up permutations of transport protocol + destination port + source port
# from more-specific to less-specific.
if ([p, dp, sp] in proto_guesses)
guess = proto_guesses[p, dp, sp];
else if ([p, dp, 0] in proto_guesses)
guess = proto_guesses[p, dp, 0];
else if ([p, 0, sp] in proto_guesses)
guess = proto_guesses[p, 0, sp];
else if ([unknown_transport, dp, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, sp];
else if ([unknown_transport, dp, 0] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, 0];
else if ([unknown_transport, 0, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, 0, sp];
# if a best guess was made based on protocol and ports, log it
if ((guess?$name) && (guess$name != "")) {
# as category may be undefined, check before accessing
if (guess?$category)
category = guess$category;
# log entry into bestguess.log
local info = Best_Guess::Info($ts=network_time(),
$uid=c$uid,
$id=c$id,
$proto=p,
$name=guess$name,
$category=category,
$guess_info=guess);
Log::write(Best_Guess::BEST_GUESS_LOG, info);
} # found guess
} # if (p != icmp)
} # connection_state_remove

360
Vagrant/resources/malcolm/zeek/config/guess_ics_map.txt Normal file
View File

@@ -0,0 +1,360 @@
#fields proto dport sport name category
unknown_transport 0 2221 Rockwell CSP Rockwell Automation
unknown_transport 0 2222 Rockwell CSP Rockwell Automation
unknown_transport 0 2223 Rockwell CSP Rockwell Automation
unknown_transport 0 5007 Mitsubishi Electronic MELSEC-Q SLAVE Mitsubishi Electric
unknown_transport 0 5413 Wonderware AVEVA
unknown_transport 0 5891 Intelligent Instrumentation EDAS Intelligent Instrumentation
unknown_transport 0 7022 CT Discovery Protocol CTDP -
unknown_transport 0 7200 Fiber Optics Data Multiplexing Services FLIP -
unknown_transport 0 7201 DLIP -
tcp 0 7700 Rockwell FactoryTalk Event Server Rockwell Automation
unknown_transport 0 7710 Rockwell FactoryTalk Directory Server Rockwell Automation
unknown_transport 0 7720 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7721 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7722 Rockwell RSViewSE HMI Activation Rockwell Automation
unknown_transport 0 9212 Server View DBMS Access -
unknown_transport 0 9213 ServerStart RemoteControl -
unknown_transport 0 23400 Novar Data Honeywell
unknown_transport 0 23401 Novar Alarm Honeywell
unknown_transport 0 23402 Novar Global Honeywell
unknown_transport 0 34963 PROFInet RT Multicast PROFIBUS and PROFINET
unknown_transport 0 34964 PROFInet Context Manager PROFIBUS and PROFINET
unknown_transport 0 44818 Rockwell Encapsulation Rockwell Automation
unknown_transport 210 0 ANSI Z39.50 -
tcp 400 0 Rockwell RSSql Transaction Manager Rockwell Automation
tcp 401 0 Rockwell RSSql Compression Server Rockwell Automation
tcp 402 0 Rockwell RSSql Configuration Server Rockwell Automation
unknown_transport 500 0 Fatek FB Series FATEK Automation
unknown_transport 554 0 RTP RTSP Streaming Protocol -
unknown_transport 789 0 Red Lion CrimsonV3 Red Lion
unknown_transport 1025 0 Mitsubishi Electronic FX Mitsubishi Electric
unknown_transport 1089 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1090 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1091 0 Rockwell Foundation Fieldbus Rockwell Automation
tcp 1132 0 Rockwell AADvance Rockwell Automation
unknown_transport 1153 0 ANSI C12.22 -
tcp 1200 0 CodeSys Gateway Server CODESYS
tcp 1330 0 Rockwell FactoryTalk Object RPC Rockwell Automation
tcp 1331 0 Rockwell FactoryTalk Service Control Rockwell Automation
tcp 1332 0 Rockwell FactoryTalk Server Health Rockwell Automation
tcp 1433 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint SQL Rockwell Automation
tcp 1434 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint MSSQL Rockwell Automation
unknown_transport 1541 0 Foxboro/Invensys Foxboro DCS Informix Schneider Electric
unknown_transport 1962 0 Phoenix Contact PC WORX Engineering Workstation PHOENIX CONTACT
unknown_transport 2004 0 LS FEnet LS Electric
udp 2010 0 Rockwell AADvance Discover Tool Rockwell Automation
udp 2011 0 Rockwell AADvance Discover Tool Rockwell Automation
unknown_transport 2085 0 ADA Control ADA-CIP -
unknown_transport 2198 0 OneHome Remote Access -
unknown_transport 2199 0 OneHome Service Port -
unknown_transport 2221 0 Rockwell CSP Rockwell Automation
unknown_transport 2222 0 Rockwell CSP Rockwell Automation
unknown_transport 2223 0 Rockwell CSP Rockwell Automation
tcp 2393 0 OLAP Microsoft
tcp 2394 0 OLAP Microsoft
unknown_transport 2404 0 IEC 60870-5-104 -
unknown_transport 2423 0 RNRP Redundant Network Routing ABB
tcp 2455 0 CodeSys Gateway Server CODESYS
unknown_transport 2540 0 LonWorks LonWorks
unknown_transport 2541 0 LonWorks LonWorks
unknown_transport 2729 0 TCIM Control -
unknown_transport 2757 0 CNRP Common Name Resolution Protocol -
unknown_transport 2846 0 AIMPP Hello -
unknown_transport 2847 0 AIMPP Port Req -
unknown_transport 3004 0 Hitachi EHV Series Hitachi
unknown_transport 3060 0 Rockwell FactoryTalk Directory Server File Transfer Rockwell Automation
unknown_transport 3240 0 Trio Motion Control Trio Motion Technology
unknown_transport 3250 0 HMS HICP Port HMC HMS Networks
unknown_transport 3338 0 OMF Data B ANET-B -
unknown_transport 3340 0 OMF Data M ANET-M -
unknown_transport 3341 0 OMF Data H ANET-H -
tcp 102 0 ICCP -
tcp 3480 0 OPC UA Discovery -
unknown_transport 3614 0 Schleicher Satchwell Sigma Schleicher Electronic
unknown_transport 3622 0 Rockwell FF LAN Redundancy Port Rockwell Automation
unknown_transport 3639 0 xAP Home Automation -
unknown_transport 3743 0 IP Control Systems Ltd ICS Command IP Control Systems Ltd
unknown_transport 3794 0 JAUS Robots -
unknown_transport 3820 0 Siemens AuD SCP Siemens AG
unknown_transport 3848 0 IT Environmental Monitor -
unknown_transport 3873 0 Fagor DNC Fagor Automation
unknown_transport 3875 0 PNBSCADA -
unknown_transport 3881 0 Intelligent Data Acquisition and Control IDAC -
unknown_transport 4000 0 Fisher ROC Plus Emerson Electric
tcp 4120 0 Rockwell Bizware Production Server Rockwell Automation
tcp 4121 0 Rockwell Bizware Server Manager Rockwell Automation
tcp 4122 0 Rockwell Bizware PlantMetrics Server Rockwell Automation
tcp 4123 0 Rockwell Bizware Task Manager Rockwell Automation
tcp 4124 0 Rockwell Bizware Scheduler Rockwell Automation
tcp 4125 0 Rockwell Bizware CTP Server Rockwell Automation
unknown_transport 4450 0 Common ASCII Message Protocol CAMP -
unknown_transport 4451 0 CTI System Message -
unknown_transport 4452 0 CTI Program Load -
unknown_transport 4999 0 Mitsubishi Electronic MELSEC-Q Mitsubishi Electric
udp 5000 0 Rockwell AADvance Peer to P2P Rockwell Automation
unknown_transport 5001 0 Mitsubishi Electronic FX3u Mitsubishi Electric
unknown_transport 5004 0 RTP Time Transport -
unknown_transport 5006 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
unknown_transport 5007 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
tcp 5050 0 OASyS SCADA AVEVA
unknown_transport 5050 0 Danfoss ECL Apex Danfoss
tcp 5051 0 OASyS SCADA AVEVA
tcp 5052 0 OASyS SCADA AVEVA
tcp 5065 0 OASyS SCADA AVEVA
unknown_transport 5069 0 I/NET 2000-NPR Control Systems International
unknown_transport 5413 0 Wonderware AVEVA
tcp 5450 0 Rockwell FactoryTalk PI Network Manager Rockwell Automation
tcp 5454 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5455 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5456 0 Rockwell FactoryTalk ACE2 Scheduler Rockwell Automation
tcp 5457 0 Rockwell FactoryTalk Asset Framework Server Rockwell Automation
tcp 5458 0 Rockwell FactoryTalk PI Notification Rockwell Automation
tcp 6543 0 Rockwell FactoryTalk Alarming Server Rockwell Automation
tcp 7002 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7003 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7004 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
unknown_transport 7022 0 CT Discovery Protocol -
unknown_transport 7201 0 DLIP -
tcp 7600 0 Rockwell FactoryTalk Event Multiplexor Rockwell Automation
tcp 7710 0 Rockwell FactoryTalk Directory Server Rockwell Automation
tcp 8081 0 Rockwell Bizware HTTP Server Manager Rockwell Automation
tcp 8083 0 Rockwell Bizware HTTP CTP Server Rockwell Automation
unknown_transport 8500 0 Panasonic FP2 Panasonic
unknown_transport 8501 0 Keyence KV-5000 Keyence
unknown_transport 9094 0 Panasonic FP Panasonic
unknown_transport 9600 0 Omron Factory Interface Network Service OMRON
tcp 10001 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10002 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10003 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10004 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10005 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10006 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10307 0 ABB Ranger ABB
tcp 10311 0 ABB Ranger ABB
tcp 10364 0 ABB Ranger ABB
tcp 10365 0 ABB Ranger ABB
tcp 10407 0 ABB Ranger ABB
tcp 10409 0 ABB Ranger ABB
tcp 10410 0 ABB Ranger ABB
tcp 10412 0 ABB Ranger ABB
tcp 10414 0 ABB Ranger ABB
tcp 10415 0 ABB Ranger ABB
tcp 10428 0 ABB Ranger ABB
tcp 10431 0 ABB Ranger ABB
tcp 10432 0 ABB Ranger ABB
tcp 10447 0 ABB Ranger ABB
tcp 10449 0 ABB Ranger ABB
tcp 10450 0 ABB Ranger ABB
unknown_transport 11001 0 Metasys N1 Johnson Controls
tcp 12135 0 OASyS SCADA AVEVA
tcp 12136 0 OASyS SCADA AVEVA
tcp 12137 0 OASyS SCADA AVEVA
tcp 12316 0 ABB Ranger ABB
tcp 12645 0 ABB Ranger ABB
tcp 12647 0 ABB Ranger ABB
tcp 12648 0 ABB Ranger ABB
tcp 13722 0 ABB Ranger ABB
tcp 13724 0 ABB Ranger ABB
tcp 13782 0 ABB Ranger ABB
tcp 13783 0 ABB Ranger ABB
tcp 18000 0 Genesis32 GenBroker ICONICS
unknown_transport 20256 0 Unitronics Socket 1 Unitronics
unknown_transport 20257 0 Unitronics Socket 2/3 Unitronics
unknown_transport 20547 0 ProconOS KW Software
tcp 27000 0 Rockwell FlexLM Server Rockwell Automation
tcp 27001 0 Rockwell FlexLM Server Rockwell Automation
tcp 27002 0 Rockwell FlexLM Server Rockwell Automation
tcp 27003 0 Rockwell FlexLM Server Rockwell Automation
tcp 27004 0 Rockwell FlexLM Server Rockwell Automation
tcp 27005 0 Rockwell FlexLM Server Rockwell Automation
tcp 27006 0 Rockwell FlexLM Server Rockwell Automation
tcp 27007 0 Rockwell FlexLM Server Rockwell Automation
tcp 27008 0 Rockwell FlexLM Server Rockwell Automation
tcp 27009 0 Rockwell FlexLM Server Rockwell Automation
unknown_transport 28784 0 Koyo Ethernet -
unknown_transport 34962 0 PROFInet RT Unicast PROFIBUS and PROFINET
tcp 38000 0 GENe SNC
tcp 38001 0 GENe SNC
tcp 38011 0 GENe SNC
tcp 38012 0 GENe SNC
tcp 38014 0 GENe SNC
tcp 38015 0 GENe SNC
tcp 38200 0 GENe SNC
tcp 38210 0 GENe SNC
tcp 38301 0 GENe SNC
tcp 38400 0 GENe SNC
tcp 38589 0 ABB Ranger ABB
tcp 38593 0 ABB Ranger ABB
tcp 38600 0 ABB Ranger ABB
tcp 38700 0 GENe SNC
tcp 38971 0 ABB Ranger ABB
tcp 39129 0 ABB Ranger ABB
tcp 39278 0 ABB Ranger ABB
unknown_transport 44818 0 Rockwell Encapsulation Rockwell Automation
unknown_transport 45678 0 Foxboro/Invensys Foxboro DCS AIMAPI Schneider Electric
tcp 49281 0 Rockwell FactoryTalk Live Data/SE HMI Tag Server Rockwell Automation
tcp 50001 0 Siemens Spectrum Power TG Siemens AG
tcp 50002 0 Siemens Spectrum Power TG Siemens AG
tcp 50003 0 Siemens Spectrum Power TG Siemens AG
tcp 50004 0 Siemens Spectrum Power TG Siemens AG
tcp 50005 0 Siemens Spectrum Power TG Siemens AG
tcp 50006 0 Siemens Spectrum Power TG Siemens AG
tcp 50007 0 Siemens Spectrum Power TG Siemens AG
tcp 50008 0 Siemens Spectrum Power TG Siemens AG
tcp 50009 0 Siemens Spectrum Power TG Siemens AG
tcp 50010 0 Siemens Spectrum Power TG Siemens AG
tcp 50011 0 Siemens Spectrum Power TG Siemens AG
tcp 50012 0 Siemens Spectrum Power TG Siemens AG
tcp 50013 0 Siemens Spectrum Power TG Siemens AG
tcp 50014 0 Siemens Spectrum Power TG Siemens AG
tcp 50015 0 Siemens Spectrum Power TG Siemens AG
tcp 50016 0 Siemens Spectrum Power TG Siemens AG
tcp 50018 0 Siemens Spectrum Power TG Siemens AG
tcp 50019 0 Siemens Spectrum Power TG Siemens AG
tcp 50020 0 Siemens Spectrum Power TG Siemens AG
tcp 50021 0 Siemens Spectrum Power TG Siemens AG
tcp 50025 0 Siemens Spectrum Power TG Siemens AG
tcp 50026 0 Siemens Spectrum Power TG Siemens AG
tcp 50027 0 Siemens Spectrum Power TG Siemens AG
tcp 50028 0 Siemens Spectrum Power TG Siemens AG
tcp 50110 0 Siemens Spectrum Power TG Siemens AG
tcp 50111 0 Siemens Spectrum Power TG Siemens AG
unknown_transport 55000 0 Mitsubishi Electronic FL-Net Cyclic Transmission Mitsubishi Electric
unknown_transport 55001 0 Mitsubishi Electronic FL-Net Message Transmission Mitsubishi Electric
unknown_transport 55002 0 Mitsubishi Electronic FL-Net Participation Request Frame Mitsubishi Electric
unknown_transport 55003 0 Mitsubishi Electronic FL-Net Sending Service Mitsubishi Electric
tcp 55555 0 Rockwell AADvance Telnet Rockwell Automation
unknown_transport 55555 0 Foxboro/Invensys Foxboro DCS FoxAPI Schneider Electric
tcp 56001 0 OASyS SCADA AVEVA
tcp 56001 0 OASyS SCADA AVEVA
tcp 56002 0 OASyS SCADA AVEVA
tcp 56003 0 OASyS SCADA AVEVA
tcp 56004 0 OASyS SCADA AVEVA
tcp 56005 0 OASyS SCADA AVEVA
tcp 56006 0 OASyS SCADA AVEVA
tcp 56007 0 OASyS SCADA AVEVA
tcp 56008 0 OASyS SCADA AVEVA
tcp 56009 0 OASyS SCADA AVEVA
tcp 56010 0 OASyS SCADA AVEVA
tcp 56011 0 OASyS SCADA AVEVA
tcp 56012 0 OASyS SCADA AVEVA
tcp 56013 0 OASyS SCADA AVEVA
tcp 56014 0 OASyS SCADA AVEVA
tcp 56015 0 OASyS SCADA AVEVA
tcp 56016 0 OASyS SCADA AVEVA
tcp 56017 0 OASyS SCADA AVEVA
tcp 56018 0 OASyS SCADA AVEVA
tcp 56019 0 OASyS SCADA AVEVA
tcp 56020 0 OASyS SCADA AVEVA
tcp 56021 0 OASyS SCADA AVEVA
tcp 56022 0 OASyS SCADA AVEVA
tcp 56023 0 OASyS SCADA AVEVA
tcp 56024 0 OASyS SCADA AVEVA
tcp 56025 0 OASyS SCADA AVEVA
tcp 56026 0 OASyS SCADA AVEVA
tcp 56027 0 OASyS SCADA AVEVA
tcp 56028 0 OASyS SCADA AVEVA
tcp 56029 0 OASyS SCADA AVEVA
tcp 56030 0 OASyS SCADA AVEVA
tcp 56031 0 OASyS SCADA AVEVA
tcp 56032 0 OASyS SCADA AVEVA
tcp 56033 0 OASyS SCADA AVEVA
tcp 56034 0 OASyS SCADA AVEVA
tcp 56035 0 OASyS SCADA AVEVA
tcp 56036 0 OASyS SCADA AVEVA
tcp 56037 0 OASyS SCADA AVEVA
tcp 56038 0 OASyS SCADA AVEVA
tcp 56039 0 OASyS SCADA AVEVA
tcp 56040 0 OASyS SCADA AVEVA
tcp 56041 0 OASyS SCADA AVEVA
tcp 56042 0 OASyS SCADA AVEVA
tcp 56043 0 OASyS SCADA AVEVA
tcp 56044 0 OASyS SCADA AVEVA
tcp 56045 0 OASyS SCADA AVEVA
tcp 56046 0 OASyS SCADA AVEVA
tcp 56047 0 OASyS SCADA AVEVA
tcp 56048 0 OASyS SCADA AVEVA
tcp 56049 0 OASyS SCADA AVEVA
tcp 56050 0 OASyS SCADA AVEVA
tcp 56051 0 OASyS SCADA AVEVA
tcp 56052 0 OASyS SCADA AVEVA
tcp 56053 0 OASyS SCADA AVEVA
tcp 56054 0 OASyS SCADA AVEVA
tcp 56055 0 OASyS SCADA AVEVA
tcp 56056 0 OASyS SCADA AVEVA
tcp 56057 0 OASyS SCADA AVEVA
tcp 56058 0 OASyS SCADA AVEVA
tcp 56059 0 OASyS SCADA AVEVA
tcp 56060 0 OASyS SCADA AVEVA
tcp 56061 0 OASyS SCADA AVEVA
tcp 56062 0 OASyS SCADA AVEVA
tcp 56063 0 OASyS SCADA AVEVA
tcp 56064 0 OASyS SCADA AVEVA
tcp 56065 0 OASyS SCADA AVEVA
tcp 56066 0 OASyS SCADA AVEVA
tcp 56067 0 OASyS SCADA AVEVA
tcp 56068 0 OASyS SCADA AVEVA
tcp 56069 0 OASyS SCADA AVEVA
tcp 56070 0 OASyS SCADA AVEVA
tcp 56071 0 OASyS SCADA AVEVA
tcp 56072 0 OASyS SCADA AVEVA
tcp 56073 0 OASyS SCADA AVEVA
tcp 56074 0 OASyS SCADA AVEVA
tcp 56075 0 OASyS SCADA AVEVA
tcp 56076 0 OASyS SCADA AVEVA
tcp 56077 0 OASyS SCADA AVEVA
tcp 56078 0 OASyS SCADA AVEVA
tcp 56079 0 OASyS SCADA AVEVA
tcp 56080 0 OASyS SCADA AVEVA
tcp 56081 0 OASyS SCADA AVEVA
tcp 56082 0 OASyS SCADA AVEVA
tcp 56083 0 OASyS SCADA AVEVA
tcp 56084 0 OASyS SCADA AVEVA
tcp 56085 0 OASyS SCADA AVEVA
tcp 56086 0 OASyS SCADA AVEVA
tcp 56087 0 OASyS SCADA AVEVA
tcp 56088 0 OASyS SCADA AVEVA
tcp 56089 0 OASyS SCADA AVEVA
tcp 56090 0 OASyS SCADA AVEVA
tcp 56091 0 OASyS SCADA AVEVA
tcp 56092 0 OASyS SCADA AVEVA
tcp 56093 0 OASyS SCADA AVEVA
tcp 56094 0 OASyS SCADA AVEVA
tcp 56095 0 OASyS SCADA AVEVA
tcp 56096 0 OASyS SCADA AVEVA
tcp 56097 0 OASyS SCADA AVEVA
tcp 56098 0 OASyS SCADA AVEVA
tcp 56099 0 OASyS SCADA AVEVA
tcp 60093 0 Rockwell FactoryTalk Diagnostics Rockwell Automation
tcp 62900 0 GENe SNC
tcp 62911 0 GENe SNC
tcp 62924 0 GENe SNC
tcp 62930 0 GENe SNC
tcp 62938 0 GENe SNC
tcp 62956 0 GENe SNC
tcp 62957 0 GENe SNC
tcp 62963 0 GENe SNC
tcp 62981 0 GENe SNC
tcp 62982 0 GENe SNC
tcp 62985 0 GENe SNC
tcp 62992 0 GENe SNC
tcp 63012 0 GENe SNC
tcp 63027 0 GENe SNC
tcp 63028 0 GENe SNC
tcp 63029 0 GENe SNC
tcp 63030 0 GENe SNC
tcp 63031 0 GENe SNC
tcp 63032 0 GENe SNC
tcp 63033 0 GENe SNC
tcp 63034 0 GENe SNC
tcp 63035 0 GENe SNC
tcp 63036 0 GENe SNC
tcp 63041 0 GENe SNC
tcp 63075 0 GENe SNC
tcp 63079 0 GENe SNC
tcp 63082 0 GENe SNC
tcp 63088 0 GENe SNC
tcp 63094 0 GENe SNC
tcp 65207 0 Rockwell FactoryTalk VantagePoint Incuity Server Advertiser Rockwell Automation
tcp 65443 0 GENe SNC

117
Vagrant/resources/malcolm/zeek/config/local.zeek Normal file
View File

@@ -0,0 +1,117 @@
##! Zeek local site policy. Customize as appropriate.
##!
##! See https://github.com/zeek/zeekctl
##! https://docs.zeek.org/en/stable/script-reference/scripts.html
##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek
global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == "") ? F : T;
global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F : T;
global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T;
global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "") ? F : T;
global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T;
global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T;
redef Broker::default_listen_address = "127.0.0.1";
redef ignore_checksums = T;
@load tuning/defaults
@load misc/scan
@load frameworks/software/vulnerable
@load frameworks/software/version-changes
@load frameworks/software/windows-version-detection
@load-sigs frameworks/signatures/detect-windows-shells
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/dhcp/software
@load protocols/dns/detect-external-names
@load protocols/ftp/detect
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/software
@load protocols/http/detect-sqli
@load protocols/http/detect-webapps
@load protocols/http/software
@load protocols/http/software-browser-plugins
@load protocols/mysql/software
@load protocols/ssl/weak-keys
@load protocols/smb/log-cmds
@load protocols/smtp/software
@load protocols/ssh/detect-bruteforcing
@load protocols/ssh/geo-data
@load protocols/ssh/interesting-hostnames
@load protocols/ssh/software
@load protocols/ssl/known-certs
@load protocols/ssl/log-hostcerts-only
@if (!disable_ssl_validate_certs)
@load protocols/ssl/validate-certs
@endif
@if (!disable_track_all_assets)
@load tuning/track-all-assets.zeek
@endif
@if (!disable_hash_all_files)
@load frameworks/files/hash-all-files
@endif
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
@load policy/protocols/modbus/known-masters-slaves
@load policy/protocols/mqtt
@load ./login.zeek
@if (!disable_best_guess_ics)
@load ./guess.zeek
@endif
@load packages
event zeek_init() &priority=-5 {
if (disable_spicy_dhcp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
}
if (disable_spicy_dns) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DNS);
}
if (disable_spicy_http) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HTTP);
}
if (disable_spicy_ipsec) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
}
if (disable_spicy_ldap) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
}
if (disable_spicy_openvpn) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA512);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
}
if (disable_spicy_tftp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_TFTP);
}
if (disable_spicy_wireguard) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD);
}
}
@if (!disable_log_passwords)
redef HTTP::default_capture_password = T;
redef FTP::default_capture_password = T;
redef SOCKS::default_capture_password = T;
redef SNIFFPASS::log_password_plaintext = T;
@endif
redef SNIFFPASS::notice_log_enable = F;

253
Vagrant/resources/malcolm/zeek/config/login.zeek Normal file
View File

@@ -0,0 +1,253 @@
module Login;
# log telnet, rlogin, and rsh events to login.log
export {
redef enum Log::ID += {
## The logging stream identifier
Log_LOGIN
};
type Info : record {
## Time the event occurred
ts : time &log;
## Unique ID for the connection
uid : string &log;
## The connection's 4-tuple of endpoint addresses/port
id : conn_id &log;
## proto (telnet, rlogin, or rsh)
proto : string &log &optional;
## login_success event was seen (successful login)
success : bool &log &default = F;
## login_confused event was seen (successful login)
confused : bool &log &default = F;
## username given for login attempt
user : string &log &optional;
## client_user given for login attempt (empty for telnet, set for rlogin)
client_user : string &log &optional;
## password given for login attempt
password : string &log &optional;
## whether or not a line has been written to login.log
logged : bool &default = F;
};
## Event that can be handled to access the :zeek:type:`Login::Info`
## record as it is sent on to the logging framework.
global log_login : event(rec : Info);
}
# Add the state tracking information variable to the connection record
redef record connection += {
login : Info &optional;
};
###############################################
# constants borrowed from the old Bro 1.5 login.bro required to make some of the telnet/rlogin/rsh events work correctly
# see https://github.com/zeek/zeek/blob/release/1.5/policy/login.bro#L178
# https://github.com/reservoirlabs/brorefguide/blob/master/analysis.texi#L3850
redef skip_authentication = { "WELCOME TO THE BERKELEY PUBLIC LIBRARY", };
redef direct_login_prompts = { "TERMINAL?", };
redef login_prompts = {
"Login:",
"login:",
"Name:",
"Username:",
"User:",
"Member Name",
"User Access Verification",
"Cisco Systems Console",
direct_login_prompts
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
} &redef;
redef login_failure_msgs = {
"invalid",
"Invalid",
"incorrect",
"Incorrect",
"failure",
"Failure",
# "Unable to authenticate",
# "unable to authenticate",
"User authorization failure",
"Login failed",
"INVALID",
"Sorry.",
"Sorry,",
};
const router_prompts: set[string] &redef;
redef login_success_msgs = {
"Last login",
"Last successful login",
"Last successful login",
"checking for disk quotas",
"unsuccessful login attempts",
"failure since last successful login",
"failures since last successful login",
router_prompts,
};
redef login_timeouts = {
"timeout",
"timed out",
"Timeout",
"Timed out",
"Error reading command input", # VMS
};
# end borrowed constants from Bro 1.5 login.bro
###############################################
# telnet, rlogin, rsh
const telnet_port = 23/tcp;
const telnet_ports = { telnet_port };
const rlogin_port = 513/tcp;
const rlogin_ports = { rlogin_port };
const rsh_port = 514/tcp;
const rsh_ports = { rsh_port };
redef likely_server_ports += { telnet_ports, rlogin_ports, rsh_ports };
# set_login_session - if has not yet been registered in the connection, instantiate
# the Info record and assign in c$login
function set_login_session(c : connection) {
if ( ! c?$login ) {
local s : Info = [$ts = network_time(), $uid = c$uid, $id = c$id];
switch c$id$resp_p {
case telnet_port:
s$proto = "telnet";
add c$service["telnet"];
break;
case rlogin_port:
s$proto = "rlogin";
add c$service["rlogin"];
break;
case rsh_port:
s$proto = "rsh";
add c$service["rsh"];
break;
}
c$login = s;
}
}
# login_message - log to login.log
function login_message(s : Info) {
# strip some values that can happen in a "confused" state that aren't really valid values
if (( s?$user ) && (( s$user == "" ) || ( s$user == "<none>" ) || ( s$user == "<timeout>" )))
delete s$user;
if (( s?$client_user ) && (( s$client_user == "" ) || ( s$client_user == "<none>" ) || ( s$client_user == "<timeout>" )))
delete s$client_user;
if (( s?$password ) && (( s$password == "" ) || ( s$password == "<none>" ) || ( s$password == "<timeout>" )))
delete s$password;
if (( s?$proto ) && ( s$proto == "" ))
delete s$proto;
s$ts = network_time();
Log::write(Login::Log_LOGIN, s);
s$logged = T;
}
# create log stream for login.log and register telnet, rlogin, and rsh analyzers
event zeek_init() &priority = 5 {
Log::create_stream(Login::Log_LOGIN, [$columns = Info, $ev = log_login, $path = "login"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_TELNET, telnet_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RLOGIN, rlogin_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RSH, rsh_ports);
}
# login_confused - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_confused
event login_confused(c : connection, msg : string, line : string) &priority = 5 {
# print "login_confused", msg, line;
set_login_session(c);
c$login$confused = T;
}
# login_failure - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_failure
event login_failure(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_failure", user, client_user, password, line;
set_login_session(c);
if ((!c$login?$user) || (c$login$user == ""))
c$login$user = user;
if ((!c$login?$client_user) || (c$login$client_user == ""))
c$login$client_user = client_user;
if ((!c$login?$password) || (c$login$password == ""))
c$login$password = password;
login_message(c$login);
}
# login_success - Generated for successful Telnet/Rlogin logins
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_success
event login_success(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_success", user, client_user, password, line;
set_login_session(c);
c$login$success = T;
c$login$user = user;
c$login$client_user = client_user;
# it appears for a successful login with rsh where client_user was checked, what we're getting in
# the "password" field is actually not the password, but the first line of data
if ((c$login$proto != "rsh") || (c$login$client_user == ""))
c$login$password = password;
login_message(c$login);
}
event connection_state_remove(c : connection) &priority = -5 {
if (c?$login) {
if ( c$login$logged == F) {
login_message(c$login);
}
delete c$login;
}
}
# for testing:
# for file in /host/telnet/*; do cd /tmp; mkdir -p /host/logs/"$(basename "$file")"; /bin/rm -f /host/logs/"$(basename "$file")"/*; cd /host/logs/"$(basename "$file")"; zeek -r "$file" local > debug_output.txt; cd /tmp; done
# event activating_encryption(c: connection) { print "activating_encryption"; }
# event authentication_accepted(name: string, c: connection) { print "authentication_accepted", name; }
# event authentication_rejected(name: string, c: connection) { print "authentication_rejected", name; }
# event authentication_skipped(c: connection) { print "authentication_skipped"; }
# event bad_option(c: connection) { print "bad_option"; }
# event bad_option_termination(c: connection) { print "bad_option_termination"; }
# event inconsistent_option(c: connection) { print "inconsistent_option"; }
# event login_confused_text(c: connection, line: string) { print "login_confused_text", line; }
# event login_display(c: connection, display: string) { print "login_display", display; }
# event login_input_line(c: connection, line: string) { print "login_input_line", line; }
# event login_output_line(c: connection, line: string) { print "login_output_line", line; }
# event login_terminal(c: connection, terminal: string) { print "login_terminal", terminal; }
# event rsh_reply(c: connection, client_user: string, server_user: string, line: string) { print "rsh_reply", client_user, server_user, line; }
# event rsh_request(c: connection, client_user: string, server_user: string, line: string; new_session: bool) { print "rsh_request", client_user, server_user, line, new_session; }

38
Vagrant/resources/malcolm/zeek/supervisord.conf Normal file
View File

@@ -0,0 +1,38 @@
; Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
[unix_http_server]
file=/tmp/supervisor.sock ; (the path to the socket file)
chmod=0700
[supervisord]
nodaemon=true
logfile=/dev/null
logfile_maxbytes=0
pidfile=/tmp/supervisord.pid
[rpcinterface:supervisor]
supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///tmp/supervisor.sock
[program:pcap-zeek]
command=python3 /usr/local/bin/pcap_zeek_processor.py
--verbose "%(ENV_PCAP_PIPELINE_DEBUG)s"
--extra-verbose "%(ENV_PCAP_PIPELINE_DEBUG_EXTRA)s"
--start-sleep 10
--threads %(ENV_ZEEK_AUTO_ANALYZE_PCAP_THREADS)s
--publisher "%(ENV_PCAP_MONITOR_HOST)s"
--pcap-directory /pcap/processed
--zeek /opt/zeek/bin/zeek
--autotag "%(ENV_AUTO_TAG)s"
--autozeek "%(ENV_ZEEK_AUTO_ANALYZE_PCAP_FILES)s"
--extract "%(ENV_ZEEK_EXTRACTOR_MODE)s"
--zeek-directory /zeek/upload
startsecs=15
startretries=1
stopasgroup=true
killasgroup=true
stdout_logfile=/dev/fd/1
stdout_logfile_maxbytes=0
redirect_stderr=true