xkeyscorerules

SUBMITTED BY: Guest

DATE: July 3, 2014, 7:30 p.m.

FORMAT: Text only

SIZE: 6.3 kB

Raw Download

HITS: 886

Report
  1. http://daserste.ndr.de/panorama/xkeyscorerules100.txt
  3. // START_DEFINITION
  4. /**
  5. * Fingerprint Tor authoritative directories enacting the directory protocol.
  6. */
  7. fingerprint('anonymizer/tor/node/authority') = $tor_authority
  8. and ($tor_directory or preappid(/anonymizer\/tor\/directory/));
  9. // END_DEFINITION
  11. // START_DEFINITION
  12. /*
  13. Global Variable for Tor foreign directory servers. Searching for potential Tor
  14. clients connecting to the Tor foreign directory servers on ports 80 and 443.
  15. */
  17. $tor_foreign_directory_ip = ip('193.23.244.244' or '194.109.206.212' or
  18. '86.59.21.38' or '213.115.239.118' or '212.112.245.170') and port ('80' or
  19. '443');
  20. // END_DEFINITION
  22. // START_DEFINITION
  23. /*
  24. this variable contains the 3 Tor directory servers hosted in FVEY countries.
  25. Please do not update this variable with non-FVEY IPs. These are held in a
  26. separate variable called $tor_foreign_directory_ip. Goal is to find potential
  27. Tor clients connecting to the Tor directory servers.
  28. */
  29. $tor_fvey_directory_ip = ip('128.31.0.39' or '216.224.124.114' or
  30. '208.83.223.34') and port ('80' or '443');
  31. // END_DEFINITION
  34. // START_DEFINITION
  35. requires grammar version 5
  36. /**
  37. * Identify clients accessing Tor bridge information.
  38. */
  39. fingerprint('anonymizer/tor/bridge/tls') =
  40. ssl_x509_subject('bridges.torproject.org') or
  41. ssl_dns_name('bridges.torproject.org');
  43. /**
  44. * Database Tor bridge information extracted from confirmation emails.
  45. */
  46. fingerprint('anonymizer/tor/bridge/email') =
  47. email_address('bridges@torproject.org')
  48. and email_body('https://bridges.torproject.org/' : c++
  49. extractors: {{
  50. bridges[] = /bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/;
  51. }}
  52. init: {{
  53. xks::undefine_name("anonymizer/tor/torbridges/emailconfirmation");
  54. }}
  55. main: {{
  56. static const std::string SCHEMA_OLD = "tor_bridges";
  57. static const std::string SCHEMA_NEW = "tor_routers";
  58. static const std::string FLAGS = "Bridge";
  59. if (bridges) {
  60. for (size_t i=0; i < bridges.size(); ++i) {
  61. std::string address = bridges[i][0] + ":" + bridges[i][1];
  62. DB[SCHEMA_OLD]["tor_bridge"] = address;
  63. DB.apply();
  64. DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];
  65. DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];
  66. DB[SCHEMA_NEW]["tor_flags"] = FLAGS;
  67. DB.apply();
  68. }
  69. xks::fire_fingerprint("anonymizer/tor/directory/bridge");
  70. }
  71. return true;
  72. }});
  73. // END_DEFINITION
  76. // START_DEFINITION
  77. /*
  78. The fingerprint identifies sessions visiting the Tor Project website from
  79. non-fvey countries.
  80. */
  81. fingerprint('anonymizer/tor/torpoject_visit')=http_host('www.torproject.org')
  82. and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));
  83. // END_DEFINITION
  86. // START_DEFINITION
  87. /*
  88. These variables define terms and websites relating to the TAILs (The Amnesic
  89. Incognito Live System) software program, a comsec mechanism advocated by
  90. extremists on extremist forums.
  91. */
  93. $TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
  94. or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
  95. $TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
  96. // END_DEFINITION
  98. // START_DEFINITION
  99. /*
  100. This fingerprint identifies users searching for the TAILs (The Amnesic
  101. Incognito Live System) software program, viewing documents relating to TAILs,
  102. or viewing websites that detail TAILs.
  103. */
  104. fingerprint('ct_mo/TAILS')=
  105. fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
  106. url($TAILS_websites) or html_title($TAILS_websites);
  107. // END_DEFINITION
  110. // START_DEFINITION
  111. requires grammar version 5
  112. /**
  113. * Aggregate Tor hidden service addresses seen in raw traffic.
  114. */
  115. mapreduce::plugin('anonymizer/tor/plugin/onion') =
  116. immediate_keyword(/(?:([a-z]+):\/\/){0,1}([a-z2-7]{16})\.onion(?::(\d+)){0,1}/c : c++
  117. includes: {{
  118. #include <boost/lexical_cast.hpp>
  119. }}
  120. proto: {{
  121. message onion_t {
  122. required string address = 1;
  123. optional string scheme = 2;
  124. optional string port = 3;
  125. }
  126. }}
  127. mapper<onion_t>: {{
  128. static const std::string prefix = "anonymizer/tor/hiddenservice/address/";
  130. onion_t onion;
  131. size_t matches = cur_args()->matches.size();
  132. for (size_t pos=0; pos < matches; ++pos) {
  133. const std::string &value = match(pos);
  134. if (value.size() == 16)
  135. onion.set_address(value);
  136. else if(!onion.has_scheme())
  137. onion.set_scheme(value);
  138. else
  139. onion.set_port(value);
  140. }
  142. if (!onion.has_address())
  143. return false;
  145. MAPPER.map(onion.address(), onion);
  146. xks::fire_fingerprint(prefix + onion.address());
  147. return true;
  148. }}
  149. reducer<onion_t>: {{
  150. for (values_t::const_iterator iter = VALUES.begin();
  151. iter != VALUES.end();
  152. ++iter) {
  153. DB["tor_onion_survey"]["onion_address"] = iter->address() + ".onion";
  154. if (iter->has_scheme())
  155. DB["tor_onion_survey"]["onion_scheme"] = iter->scheme();
  156. if (iter->has_port())
  157. DB["tor_onion_survey"]["onion_port"] = iter->port();
  158. DB["tor_onion_survey"]["onion_count"] = boost::lexical_cast<std::string>(TOTAL_VALUE_COUNT);
  159. DB.apply();
  160. DB.clear();
  161. }
  162. return true;
  163. }});
  165. /**
  166. * Placeholder fingerprint for Tor hidden service addresses.
  167. * Real fingerpritns will be fired by the plugins
  168. * 'anonymizer/tor/plugin/onion/*'
  169. */
  170. fingerprint('anonymizer/tor/hiddenservice/address') = nil;
  171. // END_DEFINITION
  174. // START_DEFINITION
  175. appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =
  176. http_host('mixminion') or
  177. ip('128.31.0.34');
  178. // END_DEFINITION
comments powered by Disqus