Guest User

xkeyscore source

a guest
Jul 3rd, 2014
2,409
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // START_DEFINITION
  2. /**
  3. * Fingerprint Tor authoritative directories enacting the directory protocol.
  4. */
  5. fingerprint('anonymizer/tor/node/authority') = $tor_authority
  6. and ($tor_directory or preappid(/anonymizer\/tor\/directory/));
  7. // END_DEFINITION
  8.  
  9. // START_DEFINITION
  10. /*
  11. Global Variable for Tor foreign directory servers. Searching for potential Tor
  12. clients connecting to the Tor foreign directory servers on ports 80 and 443.
  13. */
  14.  
  15. $tor_foreign_directory_ip = ip('193.23.244.244' or '194.109.206.212' or
  16. '86.59.21.38' or '213.115.239.118' or '212.112.245.170') and port ('80' or
  17. '443');
  18. // END_DEFINITION
  19.  
  20. // START_DEFINITION
  21. /*
  22. this variable contains the 3 Tor directory servers hosted in FVEY countries.
  23. Please do not update this variable with non-FVEY IPs. These are held in a
  24. separate variable called $tor_foreign_directory_ip. Goal is to find potential
  25. Tor clients connecting to the Tor directory servers.
  26. */
  27. $tor_fvey_directory_ip = ip('128.31.0.39' or '216.224.124.114' or
  28. '208.83.223.34') and port ('80' or '443');
  29. // END_DEFINITION
  30.  
  31.  
  32. // START_DEFINITION
  33. requires grammar version 5
  34. /**
  35. * Identify clients accessing Tor bridge information.
  36. */
  37. fingerprint('anonymizer/tor/bridge/tls') =
  38. ssl_x509_subject('bridges.torproject.org') or
  39. ssl_dns_name('bridges.torproject.org');
  40.  
  41. /**
  42. * Database Tor bridge information extracted from confirmation emails.
  43. */
  44. fingerprint('anonymizer/tor/bridge/email') =
  45. email_address('bridges@torproject.org')
  46. and email_body('https://bridges.torproject.org/' : c++
  47. extractors: {{
  48. bridges[] = /bridge\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}):?([0-9]{2,4}?[^0-9])/;
  49. }}
  50. init: {{
  51. xks::undefine_name("anonymizer/tor/torbridges/emailconfirmation");
  52. }}
  53. main: {{
  54. static const std::string SCHEMA_OLD = "tor_bridges";
  55. static const std::string SCHEMA_NEW = "tor_routers";
  56. static const std::string FLAGS = "Bridge";
  57. if (bridges) {
  58. for (size_t i=0; i < bridges.size(); ++i) {
  59. std::string address = bridges[i][0] + ":" + bridges[i][1];
  60. DB[SCHEMA_OLD]["tor_bridge"] = address;
  61. DB.apply();
  62. DB[SCHEMA_NEW]["tor_ip"] = bridges[i][0];
  63. DB[SCHEMA_NEW]["tor_port_or"] = bridges[i][1];
  64. DB[SCHEMA_NEW]["tor_flags"] = FLAGS;
  65. DB.apply();
  66. }
  67. xks::fire_fingerprint("anonymizer/tor/directory/bridge");
  68. }
  69. return true;
  70. }});
  71. // END_DEFINITION
  72.  
  73.  
  74. // START_DEFINITION
  75. /*
  76. The fingerprint identifies sessions visiting the Tor Project website from
  77. non-fvey countries.
  78. */
  79. fingerprint('anonymizer/tor/torpoject_visit')=http_host('www.torproject.org')
  80. and not(xff_cc('US' OR 'GB' OR 'CA' OR 'AU' OR 'NZ'));
  81. // END_DEFINITION
  82.  
  83.  
  84. // START_DEFINITION
  85. /*
  86. These variables define terms and websites relating to the TAILs (The Amnesic
  87. Incognito Live System) software program, a comsec mechanism advocated by
  88. extremists on extremist forums.
  89. */
  90.  
  91. $TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
  92. or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
  93. $TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');
  94. // END_DEFINITION
  95.  
  96. // START_DEFINITION
  97. /*
  98. This fingerprint identifies users searching for the TAILs (The Amnesic
  99. Incognito Live System) software program, viewing documents relating to TAILs,
  100. or viewing websites that detail TAILs.
  101. */
  102. fingerprint('ct_mo/TAILS')=
  103. fingerprint('documents/comsec/tails_doc') or web_search($TAILS_terms) or
  104. url($TAILS_websites) or html_title($TAILS_websites);
  105. // END_DEFINITION
  106.  
  107.  
  108. // START_DEFINITION
  109. requires grammar version 5
  110. /**
  111. * Aggregate Tor hidden service addresses seen in raw traffic.
  112. */
  113. mapreduce::plugin('anonymizer/tor/plugin/onion') =
  114. immediate_keyword(/(?:([a-z]+):\/\/){0,1}([a-z2-7]{16})\.onion(?::(\d+)){0,1}/c : c++
  115. includes: {{
  116. #include <boost/lexical_cast.hpp>
  117. }}
  118. proto: {{
  119. message onion_t {
  120. required string address = 1;
  121. optional string scheme = 2;
  122. optional string port = 3;
  123. }
  124. }}
  125. mapper<onion_t>: {{
  126. static const std::string prefix = "anonymizer/tor/hiddenservice/address/";
  127.  
  128. onion_t onion;
  129. size_t matches = cur_args()->matches.size();
  130. for (size_t pos=0; pos < matches; ++pos) {
  131. const std::string &value = match(pos);
  132. if (value.size() == 16)
  133. onion.set_address(value);
  134. else if(!onion.has_scheme())
  135. onion.set_scheme(value);
  136. else
  137. onion.set_port(value);
  138. }
  139.  
  140. if (!onion.has_address())
  141. return false;
  142.  
  143. MAPPER.map(onion.address(), onion);
  144. xks::fire_fingerprint(prefix + onion.address());
  145. return true;
  146. }}
  147. reducer<onion_t>: {{
  148. for (values_t::const_iterator iter = VALUES.begin();
  149. iter != VALUES.end();
  150. ++iter) {
  151. DB["tor_onion_survey"]["onion_address"] = iter->address() + ".onion";
  152. if (iter->has_scheme())
  153. DB["tor_onion_survey"]["onion_scheme"] = iter->scheme();
  154. if (iter->has_port())
  155. DB["tor_onion_survey"]["onion_port"] = iter->port();
  156. DB["tor_onion_survey"]["onion_count"] = boost::lexical_cast<std::string>(TOTAL_VALUE_COUNT);
  157. DB.apply();
  158. DB.clear();
  159. }
  160. return true;
  161. }});
  162.  
  163. /**
  164. * Placeholder fingerprint for Tor hidden service addresses.
  165. * Real fingerpritns will be fired by the plugins
  166. * 'anonymizer/tor/plugin/onion/*'
  167. */
  168. fingerprint('anonymizer/tor/hiddenservice/address') = nil;
  169. // END_DEFINITION
  170.  
  171.  
  172. // START_DEFINITION
  173. appid('anonymizer/mailer/mixminion', 3.0, viewer=$ascii_viewer) =
  174. http_host('mixminion') or
  175. ip('128.31.0.34');
  176. // END_DEFINITION
RAW Paste Data