xkeyscore source

1. // START_DEFINITION
2. /**
3. * Fingerprint Tor authoritative directories enacting the directory protocol.
4. */
5. fingerprint('anonymizer/tor/node/authority') = $tor_authority
6. and ($tor_directory or preappid(/anonymizer\/tor\/directory/));
7. // END_DEFINITION
8.  
9. // START_DEFINITION
10. /*
11. Global Variable for Tor foreign directory servers. Searching for potential Tor
12. clients connecting to the Tor foreign directory servers on ports 80 and 443.
13. */
14.  
15. $tor_foreign_directory_ip = ip('193.23.244.244' or '194.109.206.212' or
16. '86.59.21.38' or '213.115.239.118' or '212.112.245.170') and port ('80' or
17. '443');
18. // END_DEFINITION
19.  
20. // START_DEFINITION
21. /*
22. this variable contains the 3 Tor directory servers hosted in FVEY countries.
23. Please do not update this variable with non-FVEY IPs. These are held in a
24. separate variable called $tor_foreign_directory_ip. Goal is to find potential
25. Tor clients connecting to the Tor directory servers.
26. */
27. $tor_fvey_directory_ip = ip('128.31.0.39' or '216.224.124.114' or
28. '208.83.223.34') and port ('80' or '443');
29. // END_DEFINITION
30.  
31.  
32. // START_DEFINITION
33. requires grammar version 5
34. /**
35. * Identify clients accessing Tor bridge information.
36. */
37. fingerprint('anonymizer/tor/bridge/tls') =
38. ssl_x509_subject('bridges.torproject.org') or
39. ssl_dns_name('bridges.torproject.org');
40.  
41. /**
42. * Database Tor bridge information extracted from confirmation emails.
43. */
44. fingerprint('anonymizer/tor/bridge/email') =
45. email_address('bridges@torproject.org')
46. and email_body('https://bridges.torproject.org/' : c++
47. extractors: {{
48. bridges[] = /bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/;
49. }}
50. init: {{
51. xks::undefine_name("anonymizer/tor/torbridges/emailconfirmation");
52. }}
53. main: {{
54. static const std::string SCHEMA_OLD = "tor_bridges";
55. static const std::string SCHEMA_NEW = "tor_routers";
56. static const std::string FLAGS = "Bridge";
57. if (bridges) {
58. for (size_t i=0; i < bridges.size(); ++i) {
59. std::string address = bridges[i][0] + ":" + bridges[i][1];
60. DB[SCHEMA_OLD]["tor_bridge"] = address;
61. DB.apply();
62. DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];
63. DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];
64. DB[SCHEMA_NEW]["tor_flags"] = FLAGS;
65. DB.apply();
66. }
67. xks::fire_fingerprint("anonymizer/tor/directory/bridge");
68. }
69. return true;
70. }});
71. // END_DEFINITION
72.  
73.  
74. // START_DEFINITION
75. /*
76. The fingerprint identifies sessions visiting the Tor Project website from
77. non-fvey countries.
78. */
79. fingerprint('anonymizer/tor/torpoject_visit')=http_host('www.torproject.org')
80. and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));
81. // END_DEFINITION
82.  
83.  
84. // START_DEFINITION
85. /*
86. These variables define terms and websites relating to the TAILs (The Amnesic
87. Incognito Live System) software program, a comsec mechanism advocated by
88. extremists on extremist forums.
89. */
90.  
91. $TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
92. or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
93. $TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
94. // END_DEFINITION
95.  
96. // START_DEFINITION
97. /*
98. This fingerprint identifies users searching for the TAILs (The Amnesic
99. Incognito Live System) software program, viewing documents relating to TAILs,
100. or viewing websites that detail TAILs.
101. */
102. fingerprint('ct_mo/TAILS')=
103. fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
104. url($TAILS_websites) or html_title($TAILS_websites);
105. // END_DEFINITION
106.  
107.  
108. // START_DEFINITION
109. requires grammar version 5
110. /**
111. * Aggregate Tor hidden service addresses seen in raw traffic.
112. */
113. mapreduce::plugin('anonymizer/tor/plugin/onion') =
114. immediate_keyword(/(?:([a-z]+):\/\/){0,1}([a-z2-7]{16})\.onion(?::(\d+)){0,1}/c : c++
115. includes: {{
116. #include <boost/lexical_cast.hpp>
117. }}
118. proto: {{
119. message onion_t {
120. required string address = 1;
121. optional string scheme = 2;
122. optional string port = 3;
123. }
124. }}
125. mapper<onion_t>: {{
126. static const std::string prefix = "anonymizer/tor/hiddenservice/address/";
127.  
128. onion_t onion;
129. size_t matches = cur_args()->matches.size();
130. for (size_t pos=0; pos < matches; ++pos) {
131. const std::string &value = match(pos);
132. if (value.size() == 16)
133. onion.set_address(value);
134. else if(!onion.has_scheme())
135. onion.set_scheme(value);
136. else
137. onion.set_port(value);
138. }
139.  
140. if (!onion.has_address())
141. return false;
142.  
143. MAPPER.map(onion.address(), onion);
144. xks::fire_fingerprint(prefix + onion.address());
145. return true;
146. }}
147. reducer<onion_t>: {{
148. for (values_t::const_iterator iter = VALUES.begin();
149. iter != VALUES.end();
150. ++iter) {
151. DB["tor_onion_survey"]["onion_address"] = iter->address() + ".onion";
152. if (iter->has_scheme())
153. DB["tor_onion_survey"]["onion_scheme"] = iter->scheme();
154. if (iter->has_port())
155. DB["tor_onion_survey"]["onion_port"] = iter->port();
156. DB["tor_onion_survey"]["onion_count"] = boost::lexical_cast<std::string>(TOTAL_VALUE_COUNT);
157. DB.apply();
158. DB.clear();
159. }
160. return true;
161. }});
162.  
163. /**
164. * Placeholder fingerprint for Tor hidden service addresses.
165. * Real fingerpritns will be fired by the plugins
166. * 'anonymizer/tor/plugin/onion/*'
167. */
168. fingerprint('anonymizer/tor/hiddenservice/address') = nil;
169. // END_DEFINITION
170.  
171.  
172. // START_DEFINITION
173. appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =
174. http_host('mixminion') or
175. ip('128.31.0.34');
176. // END_DEFINITION