Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-1119: add base/protcols/conn/removal-hooks.zeek

Browse source 
This adds two new functions: `Conn::register_removal_hook()` and
`Conn::unregister_removal_hook()` for registering a hook function to be
called back during `connection_state_remove`.  The benefit of using hook
callback approach is better scalability: the overhead of unrelated
protocols having to dispatch no-op `connection_state_remove` handlers is
avoided.
This commit is contained in:
Jon Siwek 2020-09-10 21:19:14 -07:00
parent 49e2047da0
commit 05cf511f18
31 changed files with 659 additions and 386 deletions
Download patch file Download diff file Expand all files Collapse all files

44
scripts/base/protocols/ssh/main.zeek
View file

@ -1,6 +1,7 @@
##! Implements base functionality for SSH analysis. Generates the ssh.log file.
@load base/utils/directions-and-hosts
@load base/protocols/conn/removal-hooks
module SSH;
@ -60,6 +61,9 @@ export {
## Event that can be handled to access the SSH record as it is sent on
## to the logging framework.
global log_ssh: event(rec: Info);
## SSH finalization hook. Remaining SSH info may get logged when it's called.
global finalize_ssh: Conn::RemovalHook;
}
module GLOBAL;
@ -155,6 +159,7 @@ function set_session(c: connection)
if ( Site::is_local_addr(c$id$orig_h) != Site::is_local_addr(c$id$resp_h) )
info$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND: INBOUND;
c$ssh = info;
Conn::register_removal_hook(c, finalize_ssh);
}
}
@ -247,26 +252,29 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
server_caps$server_host_key_algorithms);
}
event connection_state_remove(c: connection)
hook finalize_ssh(c: connection)
{
if ( c?$ssh && !c$ssh$logged )
{
# Do we have enough information to make a determination about auth success?
if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
{
# Successes get logged immediately. To protect against a race condition, we'll double check:
if ( c$ssh$auth_success )
return;
if ( ! c?$ssh )
return;
# Now that we know it's a failure, we'll raise the event.
event ssh_auth_failed(c);
}
# If not, we'll just log what we have
else
{
c$ssh$logged = T;
Log::write(SSH::LOG, c$ssh);
}
if ( c$ssh$logged )
return;
# Do we have enough information to make a determination about auth success?
if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
{
# Successes get logged immediately. To protect against a race condition, we'll double check:
if ( c$ssh$auth_success )
return;
# Now that we know it's a failure, we'll raise the event.
event ssh_auth_failed(c);
}
# If not, we'll just log what we have
else
{
c$ssh$logged = T;
Log::write(SSH::LOG, c$ssh);
}
}