Merge pull request #403 from network-intelligence/dev

Merging dev 2.6.4 into trunk

Author: davidmcgrew

VERSION

@@ -1 +1 @@
-2.6.3
+2.6.4

doc/CHANGELOG.md

@@ -1,5 +1,18 @@
 # CHANGELOG for Mercury
 
+## VERSION 2.6.4
+* Added reporting of HTTP CONNECT proxies in JSON output.
+* Added FTP command channel reporting in JSON output.
+* Added SSH crypto assessment.
+* Refactored weighted naive bayes classifier and eliminated
+  intermedate data structures that had been used during
+  initialization.
+* Several minor fixes and defensive coding additions
+* Added normalization for TLS/QUIC Server Names and HTTP Hosts
+* Added test cases for CBOR.
+* Improved error checking and unit test cases for IPv4 and IPv6 address textual representations.
+* Added detectors for Domain Faking and Fake TLS.
+
 ## VERSION 2.6.3
 * Revamped SSH metadata and fingerprints.
 * Minor improvements to reassembly.

doc/sphinx/Doxyfile

@@ -784,7 +784,7 @@ WARN_LOGFILE           =
 # spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
 # Note: If this tag is empty the current directory is searched.
 
-INPUT                  = ../../src/libmerc/datum.h
+INPUT                  = ../../src/libmerc/datum.h ../../src/libmerc/watchlist.hpp ../../src/libmerc/ip_address.hpp
 
 # This tag can be used to specify the character encoding of the source files
 # that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses

doc/sphinx/source/conf.py

@@ -7,7 +7,7 @@
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
 
 project = 'mercury'
-copyright = '2023, Cisco Systems'
+copyright = '2024, Cisco Systems'
 author = 'Cisco Systems'
 with open('../../../VERSION') as VERSION:
     release = VERSION.read()
@@ -45,5 +45,5 @@
 }
 
 breathe_projects_source = {
-    "mercury" : ( "../../../", ["src/libmerc/datum.h"])
+    "mercury" : ( "../../../", ["src/libmerc/datum.h", "src/libmerc/watchlist.hpp", "src/libmerc/ip_address.hpp"] )
 }

doc/sphinx/source/datum.rst

@@ -0,0 +1,66 @@
+.. Mercury documentation subfile
+
+Data Parsing and Lexing
+=======================
+
+Datum
+-----
+
+.. doxygenstruct:: datum
+   :project: mercury
+   :members:
+
+.. doxygenclass:: writeable
+   :project: mercury
+   :members:
+
+.. doxygenstruct:: data_buffer
+   :project: mercury
+   :members:
+
+.. doxygenclass:: pad
+   :project: mercury
+   :members:
+
+.. doxygenclass:: encoded
+   :project: mercury
+   :members:
+
+.. doxygenclass:: type_codes
+   :project: mercury
+   :members:
+
+.. doxygenclass:: literal
+   :project: mercury
+   :members:
+
+.. doxygenclass:: literal_byte
+   :project: mercury
+   :members:
+
+.. doxygenclass:: skip_bytes
+   :project: mercury
+   :members:
+
+.. doxygenclass:: lookahead
+   :project: mercury
+   :members:
+
+.. doxygenclass:: acceptor
+   :project: mercury
+   :members:
+
+.. doxygenclass:: optional
+   :project: mercury
+   :members:
+
+.. doxygenclass:: ignore
+   :project: mercury
+   :members:
+
+.. doxygengroup:: byteorder
+   :project: mercury
+
+.. doxygengroup:: bitoperations
+   :project: mercury
+

doc/sphinx/source/identifiers.rst

@@ -0,0 +1,47 @@
+.. Mercury documentation master file, created by
+   sphinx-quickstart on Mon Aug 14 16:13:10 2023.
+   You can adapt this file completely to your liking, but it should at least
+   contain the root `toctree` directive.
+
+Domain Names and Addresses
+========================================
+
+Internet Protocol (IP) Addresses
+---------------------------------
+
+.. doxygenclass:: ipv4_address
+   :project: mercury
+   :members:
+
+.. doxygenstruct:: ipv6_address
+   :project: mercury
+   :members:
+
+.. doxygenclass:: ipv4_address_string
+   :project: mercury
+   :members:
+
+.. doxygenclass:: ipv6_address_string
+   :project: mercury
+   :members:
+
+.. doxygenfunction:: normalize_ip_address
+   :project: mercury
+
+.. doxygennamespace:: normalized
+   :project: mercury
+   :members:
+
+
+Host and Server Identifiers
+----------------------------
+
+.. doxygentypedef:: dns_name_t
+   :project: mercury
+
+.. doxygentypedef:: host_identifier
+   :project: mercury
+
+.. doxygenclass:: server_identifier
+   :project: mercury
+   :members:

doc/sphinx/source/index.rst

@@ -7,82 +7,21 @@ Mercury Library Documentation
 ===================================
 
 .. toctree::
-   :maxdepth: 3
+   intro
+   datum
+   identifiers
+   python
+   :maxdepth: 2
    :caption: Contents:
 
-.. doxygenstruct:: datum
-   :project: mercury
-   :members:
-
-.. doxygenclass:: writeable
-   :project: mercury
-   :members:
-
-.. doxygenstruct:: data_buffer
-   :project: mercury
-   :members:
-
-.. doxygenclass:: pad
-   :project: mercury
-   :members:
-
-.. doxygenclass:: encoded
-   :project: mercury
-   :members:
-
-.. doxygenclass:: type_codes
-   :project: mercury
-   :members:
-
-.. doxygenclass:: literal
-   :project: mercury
-   :members:
-
-.. doxygenclass:: literal_byte
-   :project: mercury
-   :members:
-
-.. doxygenclass:: skip_bytes
-   :project: mercury
-   :members:
-
-.. doxygenclass:: lookahead
-   :project: mercury
-   :members:
-
-.. doxygenclass:: acceptor
-   :project: mercury
-   :members:
-
-.. doxygenclass:: optional
-   :project: mercury
-   :members:
-
-.. doxygenclass:: ignore
-   :project: mercury
-   :members:
-
-.. doxygenclass:: sequence
-   :project: mercury
-   :members:
-
-.. doxygengroup:: byteorder
-   :project: mercury
-
-.. doxygengroup:: bitoperations
-   :project: mercury
-
-Mercury Python Library Documentation
-====================================
-
-.. automodule:: mercury
-   :members:
-   :show-inheritance:
-
 
 Indices and tables
 ==================
 
 * :ref:`genindex`
 * :ref:`modindex`
 * :ref:`search`
+
+Table of Contents
+^^^^^^^^^^^^^^^^^
+

doc/sphinx/source/intro.rst

@@ -0,0 +1,11 @@
+
+
+Introduction
+============
+
+This documentation presents the interface to the Mercury C++ classes
+and functions for parsing, lexing, and manipulating data.
+
+This documentation is a work in progress, and much of the code is not
+yet covered.
+

doc/sphinx/source/python.rst

@@ -0,0 +1,7 @@
+Mercury Python Library
+======================
+
+.. automodule:: mercury
+   :members:
+   :exclude-members: ECHConfig
+   :show-inheritance:

src/Makefile.in

@@ -105,12 +105,14 @@ compiler_version:
 #.PHONY: libmerc-and-mercury
 #libmerc-and-mercury: libmerc.a mercury # TODO: delete
 
-# implicit rules for building object files from .c and .cc files
+# implicit rules for building object files from .c, .cpp, and .cc files
 #
 %.o: %.c
 	$(CXX) $(CFLAGS) -c $<
 %.o: %.cc
 	$(CXX) $(CFLAGS) -c $<
+%.o: %.cpp
+	$(CXX) $(CFLAGS) -c $<
 
 # the target mercury rebuilds mercury, and is dependent on the actual
 # libmerc.a file, but it does not trigger any check to see if
@@ -188,6 +190,12 @@ cert_analyze: cert_analyze.cc libmerc/asn1.h
 cms: cms.cpp libmerc/asn1.h
 	$(CXX) $(CFLAGS) cms.cpp libmerc/asn1.cc libmerc/asn1/oid.cc $(LDFLAGS) -lcrypto -o cms
 
+dns-trie: dns-trie.cpp dns_trie.hpp fpdb_reader.hpp
+	$(CXX) $(CFLAGS) dns-trie.cpp -o dns-trie
+
+unit_test: unit_test.cpp
+	$(CXX) $(CFLAGS) -UNDEBUG unit_test.cpp -o unit_test
+
 os_identifier: os_identifier.cc os-identification/os_identifier.h
 	$(CXX) $(CFLAGS) -I libmerc/ os_identifier.cc -lz -o os_identifier
 
@@ -206,6 +214,9 @@ decode: decode.cc
 pcap: pcap.cc pcap_file_io.h
 	$(CXX) $(CFLAGS) pcap.cc -o pcap
 
+remap: remap.cpp libmerc/tls.cc libmerc/http.cc libmerc/match.cc libmerc/asn1.cc libmerc/asn1/oid.cc libmerc/addr.cc
+	$(CXX) $(CFLAGS) -std=c++20 remap.cpp libmerc/tls.cc libmerc/http.cc libmerc/match.cc libmerc/asn1.cc libmerc/asn1/oid.cc libmerc/addr.cc -lcrypto -o remap
+
 pcap_filter: pcap_filter.cc pcap_file_io.c libmerc
 	$(CXX) $(CFLAGS) pcap_filter.cc pcap_file_io.c libmerc/libmerc.a -lz -lcrypto -pthread -o pcap_filter
 
@@ -233,7 +244,7 @@ endif
 
 #MERC_OBJ = $(MERC:%.o=%.c)
 
-libmerc_test: libmerc_test.c $(LIBMERC_SO) Makefile.in
+libmerc_test: run_unit_test libmerc_test.c $(LIBMERC_SO) Makefile.in
 	$(CC) -Wall -std=c11 libmerc_test.c -pthread -L./libmerc $(LIBMERC_SO) -lz -lcrypto -o libmerc_test
 	@echo $(COLOR_GREEN) "To run before 'make install', export LD_LIBRARY_PATH=$(shell pwd)/libmerc" $(COLOR_OFF)
 
@@ -251,7 +262,7 @@ intercept.so: intercept.cc libmerc.a
 
 .PHONY: clean
 clean: libmerc-clean
-	rm -rf mercury libmerc_test libmerc_util intercept_server tls_scanner cert_analyze os_identifier archive_reader batch_gcd string cbor decode pcap pcap_filter format intercept.so gmon.out *.o *.json.gz
+	rm -rf mercury libmerc_test libmerc_util intercept_server tls_scanner cert_analyze os_identifier archive_reader batch_gcd string cbor unit_test decode pcap pcap_filter format intercept.so dns-trie gmon.out *.o *.json.gz
 	for file in Makefile.in README.md configure.ac; do if [ -e "$$file~" ]; then rm -f "$$file~" ; fi; done
 	for file in mercury.c libmerc_test.c tls_scanner.cc cert_analyze.cc $(MERC) $(MERC_H); do if [ -e "$$file~" ]; then rm -f "$$file~" ; fi; done
 
@@ -324,8 +335,19 @@ cppcheck: $(MERC)
 	cppcheck --language=c++ --std=c++17 --force --enable=all -URAPIDJSON_DOXYGEN_RUNNING --template='{file}:{line}:{severity}:{message}' $^
 	cd libmerc && $(MAKE) cppcheck
 
+# the run_unit_test target builds and runs a simple application that
+# invokes all of the unit_test functions available in the libmerc/
+# subdirectory
+#
+# note: there are much more extensive unit tests in the ./unit_tests
+# subdirectory
+#
+.PHONY: run_unit_test
+run_unit_test: unit_test
+	./unit_test
+
 .PHONY: test
-test: mercury libmerc_driver
+test: run_unit_test mercury libmerc_driver
 	cd ../test && $(MAKE)
 
 major=$(shell cat ../VERSION | grep -o "^[0-9]*")

src/cbor.cpp

@@ -83,9 +83,6 @@ int main(int argc, char *argv[]) {
             }
         }
         if (decode_fdc) {
-            static const size_t MAX_DST_ADDR_LEN   = 48;
-            static const size_t MAX_SNI_LEN        = 257;
-            static const size_t MAX_USER_AGENT_LEN = 512;
             static const size_t MAX_FP_STR_LEN     = 4096;
             char fp_str[MAX_FP_STR_LEN];
             char dst_ip_str[MAX_DST_ADDR_LEN];

src/classify.cpp

@@ -64,7 +64,7 @@ int main(int argc, char *argv[]) {
         }
 
         classifier *c = analysis_init_from_archive(0, // verbosity
-                                                   "../../../2025-02-6/resources-mp.tgz",
+                                                   resource_file.c_str(),
                                                    nullptr,
                                                    enc_key_type_none,
                                                    0,

src/cython/_version.py

@@ -1 +1 @@
-__version__ = '2.6.1'
+__version__ = '2.6.4'