XKeyscore - Source Code.

1. ___________ __ _______ _________ _____
2. \_ _____/ __ __ ____ | | __ \ \ / _____/ / _ \
3. | __) | | \_/ ___\ | |/ / / | \ \_____ \ / /_\ \
4. | \ | | /\ \___ | < / | \ / \/ | \
5. \___ / |____/ \___ >|__|_ \\____|__ //_______ /\____|__ /
6. \/ \/ \/ \/ \/ \/
7.  
8. ___________ __ ____ ___ __
9. \_ _____/ __ __ ____ | | __\ \/ /| | __ ____ ___.__. ______ ____ ____ _______ ____
10. | __) | | \_/ ___\ | |/ / \ / | |/ /_/ __ \ < | | / ___/_/ ___\ / _ \ \_ __ \_/ __ \
11. | \ | | /\ \___ | < / \ | < \ ___/ \___ | \___ \ \ \___ ( <_> ) | | \/\ ___/
12. \___ / |____/ \___ >|__|_ \/___/\ \|__|_ \ \___ > / ____|/____ > \___ > \____/ |__| \___ >
13. \/ \/ \/ \_/ \/ \/ \/ \/ \/ \/
14.  
15. _________ _________ .___
16. / _____/ ____ __ __ _______ ____ ____ \_ ___ \ ____ __| _/ ____
17. \_____ \ / _ \ | | \\_ __ \_/ ___\ _/ __ \ / \ \/ / _ \ / __ | _/ __ \
18. / \( <_> )| | / | | \/\ \___ \ ___/ \ \____( <_> )/ /_/ | \ ___/
19. /_______ / \____/ |____/ |__| \___ > \___ > \______ / \____/ \____ | \___ >
20. \/ \/ \/ \/ \/ \/
21.  
22.  
23. #############################################################################
24. #############################################################################
25.  
26. // START_DEFINITION
27. /*
28. The fingerprint identifies sessions visiting the Tor Project website from
29. non-fvey countries.
30. */
31. fingerprint('anonymizer/tor/torpoject_visit')=http_host('www.torproject.org')
32. and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));
33. // END_DEFINITION
34.  
35.  
36. // START_DEFINITION
37. /*
38. These variables define terms and websites relating to the TAILs (The Amnesic
39. Incognito Live System) software program, a comsec mechanism advocated by
40. extremists on extremist forums.
41. */
42.  
43. $TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
44. or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
45. $TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
46. // END_DEFINITION
47.  
48. // START_DEFINITION
49. /*
50. This fingerprint identifies users searching for the TAILs (The Amnesic
51. Incognito Live System) software program, viewing documents relating to TAILs,
52. or viewing websites that detail TAILs.
53. */
54. fingerprint('ct_mo/TAILS')=
55. fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
56. url($TAILS_websites) or html_title($TAILS_websites);
57. // END_DEFINITION
58.  
59.  
60. // START_DEFINITION
61. requires grammar version 5
62. /**
63. * Aggregate Tor hidden service addresses seen in raw traffic.
64. */
65. mapreduce::plugin('anonymizer/tor/plugin/onion') =
66. immediate_keyword(/(?:([a-z]+):\/\/){0,1}([a-z2-7]{16})\.onion(?::(\d+)){0,1}/c : c++
67. includes: {{
68. #include <boost/lexical_cast.hpp>
69. }}
70. proto: {{
71. message onion_t {
72. required string address = 1;
73. optional string scheme = 2;
74. optional string port = 3;
75. }
76. }}
77. mapper<onion_t>: {{
78. static const std::string prefix = "anonymizer/tor/hiddenservice/address/";
79.  
80. onion_t onion;
81. size_t matches = cur_args()->matches.size();
82. for (size_t pos=0; pos < matches; ++pos) {
83. const std::string &value = match(pos);
84. if (value.size() == 16)
85. onion.set_address(value);
86. else if(!onion.has_scheme())
87. onion.set_scheme(value);
88. else
89. onion.set_port(value);
90. }
91.  
92. if (!onion.has_address())
93. return false;
94.  
95. MAPPER.map(onion.address(), onion);
96. xks::fire_fingerprint(prefix + onion.address());
97. return true;
98. }}
99. reducer<onion_t>: {{
100. for (values_t::const_iterator iter = VALUES.begin();
101. iter != VALUES.end();
102. ++iter) {
103. DB["tor_onion_survey"]["onion_address"] = iter->address() + ".onion";
104. if (iter->has_scheme())
105. DB["tor_onion_survey"]["onion_scheme"] = iter->scheme();
106. if (iter->has_port())
107. DB["tor_onion_survey"]["onion_port"] = iter->port();
108. DB["tor_onion_survey"]["onion_count"] = boost::lexical_cast<std::string>(TOTAL_VALUE_COUNT);
109. DB.apply();
110. DB.clear();
111. }
112. return true;
113. }});
114.  
115. /**
116. * Placeholder fingerprint for Tor hidden service addresses.
117. * Real fingerpritns will be fired by the plugins
118. * 'anonymizer/tor/plugin/onion/*'
119. */
120. fingerprint('anonymizer/tor/hiddenservice/address') = nil;
121. // END_DEFINITION
122.  
123.  
124. // START_DEFINITION
125. appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =
126. http_host('mixminion') or
127. ip('128.31.0.34');
128. // END_DEFINITION
129.  
130. #############################################################################
131. #############################################################################