├── LICENSE
├── README.md
├── scripts
    ├── __load__.zeek
    └── zoom.zeek
└── zkg.meta


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2020, benjeems
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Got Zoom ?
 2 | - Raises a notice when the Zoom client initially connects. The name of the server included in the notice indicates the authentication method - being Facebook, Google, SSO, or Zoom itself. 
 3 | - Raises a separate notice when the Zoom client joins a meeting. Only the name of the first meeting server connected to is included in the notice - there may be several meeting servers, each used for different purposes but all associated with the same meeting.
 4 | 
 5 | ## Background 
 6 | See [https://zeek.org/2020/04/14/got-zoom/](https://zeek.org/2020/04/14/got-zoom/)  
 7 | 
 8 | ## Requires   
 9 | JA3 and JA3S. Errors will occur if you don't have JA3 loaded *prior* to got_zoom.  Get JA3 [here](https://github.com/salesforce/ja3 "JA3"). 
10 |   
11 | ## Logic at a glance      
12 |   
13 | **Client Login:**   
14 | *   JA3 of Zoom client AND  
15 | *   JA3S of Zoom Login Servers AND  
16 | *   Zoom server_name AND  
17 | *   Zoom certificate  
18 | 
19 | **Meeting Join**  
20 | *   JA3S of Zoom Meeting Server AND  
21 | *   Zoom server_name AND  
22 | *   Zoom certificate  
23 | 
24 | ## Usage
25 | ### Stand alone mode:  
26 | Make sure you have JA3 loaded prior got_zoom being loaded, you can do this by editing the commented out line in `scripts/__load__.zeek` to point to your local copy of the JA3 files. 
27 | 
28 | You can then use got_zoom on your pcap:  
29 | ```zeek -Cr your.pcap scripts/__load__.zeek```
30 | 
31 | ### As a package: 
32 | To install the package.  
33 | ```zkg install .```  
34 | Once again, you must ensure that JA3 is loaded prior to the got_zoom load.  
35 | 
36 | 
37 | ## Tested against
38 | - Zoom 4.6.10 (20041.0408) on OSX 10.15.3 
39 | - zeek version 3.2.0-dev.277
40 | 
41 | ## Output notice.log
42 | 
43 | ### Connection.  
44 | In this example the Zoom client is authenticated with Facebook, indicated by a server_name of facebook.zoom.us.  
45 |   
46 | `
47 | 1586823459.142204       ChMw6p3tKAfiyHngs3      192.168.13.37   57426   52.202.62.237   443     -       -       -       tcp     zoom_TLS::LoggedIn      Zoom Client connected to facebook.zoom.us. Only the first connection generates this notice (there may be numerous connections)  -       192.168.13.37    52.202.62.237   443     -       -       Notice::ACTION_LOG      3600.000000     -       -       -       -       -
48 | `
49 | 
50 | 
51 | ### Meeting traffic. 
52 | In this example, the first meeting server connected to is zoomca54150137226zc.zoom.us. There may be many other meeting servers associated with the same meeting which bear similar names.   
53 |   
54 | `1586498392.012030       CfIPEz2Aj3WAM2g072      192.168.13.37    63350   54.190.137.246  443     -       -       -       tcp     zoom_TLS::MeetingJoined    Zoom Meeting traffic via a connection to zoomca54150137226zc.zoom.us. Only the first server connection generates this notice. There are often numerous such connections for a single Zoom meeting       -       192.168.13.37    54.190.137.246  443     -       -       Notice::ACTION_LOG      3600.000000     -       -       -       -       -`
55 | 
56 | 
57 | 
58 | 
59 | 


--------------------------------------------------------------------------------
/scripts/__load__.zeek:
--------------------------------------------------------------------------------
1 | # Load JA3 here if you need to in stand alone mode.
2 | # Change the path to where JA3 lives in your system
3 | # @load /<path_where_ja3_lives>/ja3/zeek/__load__.zeek
4 | @load packages/ja3
5 | @load ./zoom
6 | 


--------------------------------------------------------------------------------
/scripts/zoom.zeek:
--------------------------------------------------------------------------------
 1 | module zoom_TLS; 
 2 |     # This script raises a notice for when:
 3 |     #   1) Traffic generated when a Zoom client connects
 4 |     #   2) Traffic generated when a meeting is joined
 5 |     # Tested against Zoom Version: 4.6.10 (20041.0408) ; zeek version 3.2.0-dev.277
 6 |      
 7 | export {
 8 |     global zoom_JA3_client_connect: set[string] = set(
 9 |         "fdf59db13f79da45024018dabda7080d",
10 |         "c51de225944b7d58d48c0f99f86ba8e6"
11 |         );
12 |     global zoom_JA3S_client_connect: set[string] = set(
13 |         "c47ac3dc74b5ef88f4e96e184c552098",
14 |         "367b681f4d7aa89f8609c6fe7d1fa774",
15 |         "7c9a36ef25ae55e481acdf7c96c1ca15",
16 |         "0b8e478e42c89eaa602e5a29af6f639a",
17 |         "f6e234011390444c303f74d09d87322d"
18 |         );
19 |     # Commented out but left here for reference if required later.
20 |     # global zoom_JA3_in_meeting: set[string] = set(
21 |     #     "8e6eceee7fcf02fec8fd6cbfcb9c4de9"
22 |     #     );
23 |     global zoom_JA3S_in_meeting: set[string] = set(
24 |         "ada793d0f02b028a6c840504edccb652"
25 |         );
26 | 
27 |     redef enum Notice::Type += {
28 |         LoggedIn,
29 |         MeetingJoined
30 |     };
31 | }
32 | 
33 | event ssl_established(c:connection)
34 |     {
35 |     local notice_message: string = "";
36 | 
37 |     if (c$ssl$ja3 in zoom_JA3_client_connect && c$ssl$ja3s in zoom_JA3S_client_connect &&
38 |             /\.zoom\.us$/ in c$ssl$server_name &&
39 |             /^CN\=\*\.zoom\./ in c$ssl$cert_chain[0]$x509$certificate$subject) 
40 |         {
41 |         # print "You Got Zoom Client running";
42 |         notice_message = fmt("Zoom Client connected to %s. Only the first connection generates this notice (there may be numerous connections)", c$ssl$server_name);
43 |         NOTICE([$note=LoggedIn,
44 |                 $conn=c, 
45 |                 $identifier=cat(c$id$orig_h),
46 |                 $sub=c$ssl$server_name,
47 |                 $msg=notice_message]);
48 |         return;
49 |         }
50 |     # Note that the JA3 (stored for reference in set zoom_JA3_in_meeting), is not used here. 
51 |     # This should make for more resilience to variations in client flavours.
52 |     if (c$ssl$ja3s in zoom_JA3S_in_meeting &&
53 |             /\.zoom\.us$/ in c$ssl$server_name &&
54 |             /^CN\=\*\.zoom\./ in c$ssl$cert_chain[0]$x509$certificate$subject) 
55 |         {
56 |         # print "You Got a Zoom Video/Audio session";
57 |         notice_message = fmt("Zoom Meeting traffic to %s. Only the first meeting connection generates this notice (there are often numerous such connections for a single Zoom meeting)", c$ssl$server_name);
58 |         NOTICE([$note=MeetingJoined,
59 |                     $conn=c, 
60 |                     $identifier=cat(c$id$orig_h),
61 |                     $sub=c$ssl$server_name,
62 |                     $msg=notice_message]);
63 |         }
64 |     }
65 | 


--------------------------------------------------------------------------------
/zkg.meta:
--------------------------------------------------------------------------------
1 | [package]
2 | description = Detect Zoom traffic
3 | tags = TLS, SSL, JA3, Video conferencing, Video, Videoconferencing, Remote working, Zoom
4 | version = 0.1
5 | script_dir = scripts
6 | depends =
7 |     bro >=2.5.5
8 |     ja3 *
9 | 


--------------------------------------------------------------------------------