Merge remote-tracking branch 'origin/topic/vladg/ssh-log-fix'

* origin/topic/vladg/ssh-log-fix: Remove resp_size from the log. Refactor when we write out to the log a bit. Geodata now works reliably. Fix resp_size in ssh.log, require a minimum resp_size for the heuristic. Some work on geodata, but still a WIP.
2025-10-11 19:18:19 +00:00 · 2013-11-06 14:39:50 -05:00 · 2013-11-06 14:39:50 -05:00 · 0a1ee9af1b
commit 0a1ee9af1b
parent ef33696d2e d108481e73
4 changed files with 44 additions and 21 deletions
--- a/9
+++ b/9
@ -1,4 +1,13 @@

+2.2-beta-194 | 2013-11-06 14:39:50 -0500
+
+  * Remove resp_size from the ssh log. Refactor when we write out to the log a bit. Geodata now works reliably. (Vlad Grigorescu)
+
+  * Update VirusTotal URL to work with changes to their website and changed it to a redef. (Vlad Grigorescu)
+
+  * Added a document for the SumStats framework. (Seth Hall)
+
+
 2.2-beta-184 | 2013-11-03 22:53:42 -0800

  * Remove swig-ruby from required packages section of install doc.
--- a/2
+++ b/2
@ -1 +1 @@
-2.2-beta-184
+2.2-beta-194
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@ -37,12 +37,6 @@ export {
 		client:          string       &log &optional;
 		## Software string from the server.
 		server:          string       &log &optional;
-		## Amount of data returned from the server. This is currently
-		## the only measure of the success heuristic and it is logged to
-		## assist analysts looking at the logs to make their own
-		## determination about the success on a case-by-case basis.
-		resp_size:       count        &log &default=0;
-
 		## Indicate if the SSH session is done being watched.
 		done:            bool         &default=F;
 	};
@ -107,10 +101,10 @@ function check_ssh_connection(c: connection, done: bool)
 		# this matches the conditions for a failed login.  Failed
 		# logins are only detected at connection state removal.

-		if ( # Require originators to have sent at least 50 bytes.
-		     c$orig$size > 50 &&
+		if ( # Require originators and responders to have sent at least 50 bytes.
+		     c$orig$size > 50 && c$resp$size > 50 &&
 		     # Responders must be below 4000 bytes.
-		     c$resp$size < 4000 &&
+		     c$resp$size < authentication_data_size &&
 		     # Responder must have sent fewer than 40 packets.
 		     c$resp$num_pkts < 40 &&
 		     # If there was a content gap we can't reliably do this heuristic.
@ -122,7 +116,7 @@ function check_ssh_connection(c: connection, done: bool)
 			event SSH::heuristic_failed_login(c);
 			}

-		if ( c$resp$size > authentication_data_size )
+		if ( c$resp$size >= authentication_data_size )
 			{
 			c$ssh$status = "success";
 			event SSH::heuristic_successful_login(c);
@ -132,7 +126,7 @@ function check_ssh_connection(c: connection, done: bool)
 		{
 		# If this connection is still being tracked, then it's possible
 		# to watch for it to be a successful connection.
-		if ( c$resp$size > authentication_data_size )
+		if ( c$resp$size >= authentication_data_size )
 			{
 			c$ssh$status = "success";
 			event SSH::heuristic_successful_login(c);
@ -150,8 +144,6 @@ function check_ssh_connection(c: connection, done: bool)
 	# after detection is done.
 	c$ssh$done=T;

-	Log::write(SSH::LOG, c$ssh);
-
 	if ( skip_processing_after_detection )
 		{
 		# Stop watching this connection, we don't care about it anymore.
@ -161,10 +153,24 @@ function check_ssh_connection(c: connection, done: bool)
 	}


+event heuristic_successful_login(c: connection) &priority=-5
+	{
+	Log::write(SSH::LOG, c$ssh);
+	}
+
+event heuristic_failed_login(c: connection) &priority=-5
+	{
+	Log::write(SSH::LOG, c$ssh);
+	}
+
 event connection_state_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssh )
+		{
 		check_ssh_connection(c, T);
+		if ( c$ssh$status == "undetermined" )
+			Log::write(SSH::LOG, c$ssh);
+		}
 	}

 event ssh_watcher(c: connection)
--- a/scripts/policy/protocols/ssh/geo-data.bro
+++ b/scripts/policy/protocols/ssh/geo-data.bro
@ -24,21 +24,29 @@ export {
 	const watched_countries: set[string] = {"RO"} &redef;
 }

+function get_location(c: connection): geo_location
+	{
+	local lookup_ip = (c$ssh$direction == OUTBOUND) ? c$id$resp_h : c$id$orig_h;
+	return lookup_location(lookup_ip);
+	}
+
 event SSH::heuristic_successful_login(c: connection) &priority=5
 	{
-	local location: geo_location;
-	location = (c$ssh$direction == OUTBOUND) ? 
-		lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h);
-	
 	# Add the location data to the SSH record.
-	c$ssh$remote_location = location;
+	c$ssh$remote_location = get_location(c);
 	
-	if ( location?$country_code && location$country_code in watched_countries )
+	if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
 		{
 		NOTICE([$note=Watched_Country_Login,
 		        $conn=c,
 		        $msg=fmt("SSH login %s watched country: %s", 
 		                 (c$ssh$direction == OUTBOUND) ? "to" : "from", 
-		                 location$country_code)]);
+		                 c$ssh$remote_location$country_code)]);
 		}
 	}
+
+event SSH::heuristic_failed_login(c: connection) &priority=5
+	{
+	# Add the location data to the SSH record.
+	c$ssh$remote_location = get_location(c);
+	}