Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 11:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/vladg/ssh-log-fix'

Browse source 
* origin/topic/vladg/ssh-log-fix:
  Remove resp_size from the log. Refactor when we write out to the log a bit. Geodata now works reliably.
  Fix resp_size in ssh.log, require a minimum resp_size for the heuristic. Some work on geodata, but still a WIP.
This commit is contained in:
Seth Hall 2013-11-06 14:39:50 -05:00
commit 0a1ee9af1b
4 changed files with 44 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

9
CHANGES
View file

@ -1,4 +1,13 @@
2.2-beta-194 | 2013-11-06 14:39:50 -0500
* Remove resp_size from the ssh log. Refactor when we write out to the log a bit. Geodata now works reliably. (Vlad Grigorescu)
* Update VirusTotal URL to work with changes to their website and changed it to a redef. (Vlad Grigorescu)
* Added a document for the SumStats framework. (Seth Hall)
2.2-beta-184 | 2013-11-03 22:53:42 -0800 2.2-beta-184 | 2013-11-03 22:53:42 -0800
* Remove swig-ruby from required packages section of install doc. * Remove swig-ruby from required packages section of install doc.

2
VERSION
View file

@ -1 +1 @@
2.2-beta-184 2.2-beta-194

32
scripts/base/protocols/ssh/main.bro
View file

@ -37,12 +37,6 @@ export {
client: string &log &optional; client: string &log &optional;
## Software string from the server. ## Software string from the server.
server: string &log &optional; server: string &log &optional;
## Amount of data returned from the server. This is currently
## the only measure of the success heuristic and it is logged to
## assist analysts looking at the logs to make their own
## determination about the success on a case-by-case basis.
resp_size: count &log &default=0;
## Indicate if the SSH session is done being watched. ## Indicate if the SSH session is done being watched.
done: bool &default=F; done: bool &default=F;
}; };
@ -107,10 +101,10 @@ function check_ssh_connection(c: connection, done: bool)
# this matches the conditions for a failed login. Failed # this matches the conditions for a failed login. Failed
# logins are only detected at connection state removal. # logins are only detected at connection state removal.
if ( # Require originators to have sent at least 50 bytes. if ( # Require originators and responders to have sent at least 50 bytes.
c$orig$size > 50 && c$orig$size > 50 && c$resp$size > 50 &&
# Responders must be below 4000 bytes. # Responders must be below 4000 bytes.
c$resp$size < 4000 && c$resp$size < authentication_data_size &&
# Responder must have sent fewer than 40 packets. # Responder must have sent fewer than 40 packets.
c$resp$num_pkts < 40 && c$resp$num_pkts < 40 &&
# If there was a content gap we can't reliably do this heuristic. # If there was a content gap we can't reliably do this heuristic.
@ -122,7 +116,7 @@ function check_ssh_connection(c: connection, done: bool)
event SSH::heuristic_failed_login(c); event SSH::heuristic_failed_login(c);
} }
if ( c$resp$size > authentication_data_size ) if ( c$resp$size >= authentication_data_size )
{ {
c$ssh$status = "success"; c$ssh$status = "success";
event SSH::heuristic_successful_login(c); event SSH::heuristic_successful_login(c);
@ -132,7 +126,7 @@ function check_ssh_connection(c: connection, done: bool)
{ {
# If this connection is still being tracked, then it's possible # If this connection is still being tracked, then it's possible
# to watch for it to be a successful connection. # to watch for it to be a successful connection.
if ( c$resp$size > authentication_data_size ) if ( c$resp$size >= authentication_data_size )
{ {
c$ssh$status = "success"; c$ssh$status = "success";
event SSH::heuristic_successful_login(c); event SSH::heuristic_successful_login(c);
@ -150,8 +144,6 @@ function check_ssh_connection(c: connection, done: bool)
# after detection is done. # after detection is done.
c$ssh$done=T; c$ssh$done=T;
Log::write(SSH::LOG, c$ssh);
if ( skip_processing_after_detection ) if ( skip_processing_after_detection )
{ {
# Stop watching this connection, we don't care about it anymore. # Stop watching this connection, we don't care about it anymore.
@ -161,10 +153,24 @@ function check_ssh_connection(c: connection, done: bool)
} }
event heuristic_successful_login(c: connection) &priority=-5
{
Log::write(SSH::LOG, c$ssh);
}
event heuristic_failed_login(c: connection) &priority=-5
{
Log::write(SSH::LOG, c$ssh);
}
event connection_state_remove(c: connection) &priority=-5 event connection_state_remove(c: connection) &priority=-5
{ {
if ( c?$ssh ) if ( c?$ssh )
{
check_ssh_connection(c, T); check_ssh_connection(c, T);
if ( c$ssh$status == "undetermined" )
Log::write(SSH::LOG, c$ssh);
}
} }
event ssh_watcher(c: connection) event ssh_watcher(c: connection)

22
scripts/policy/protocols/ssh/geo-data.bro
View file

@ -24,21 +24,29 @@ export {
const watched_countries: set[string] = {"RO"} &redef; const watched_countries: set[string] = {"RO"} &redef;
} }
function get_location(c: connection): geo_location
{
local lookup_ip = (c$ssh$direction == OUTBOUND) ? c$id$resp_h : c$id$orig_h;
return lookup_location(lookup_ip);
}
event SSH::heuristic_successful_login(c: connection) &priority=5 event SSH::heuristic_successful_login(c: connection) &priority=5
{ {
local location: geo_location;
location = (c$ssh$direction == OUTBOUND) ?
lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h);
# Add the location data to the SSH record. # Add the location data to the SSH record.
c$ssh$remote_location = location; c$ssh$remote_location = get_location(c);
if ( location?$country_code && location$country_code in watched_countries ) if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
{ {
NOTICE([$note=Watched_Country_Login, NOTICE([$note=Watched_Country_Login,
$conn=c, $conn=c,
$msg=fmt("SSH login %s watched country: %s", $msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from", (c$ssh$direction == OUTBOUND) ? "to" : "from",
location$country_code)]); c$ssh$remote_location$country_code)]);
} }
} }
event SSH::heuristic_failed_login(c: connection) &priority=5
{
# Add the location data to the SSH record.
c$ssh$remote_location = get_location(c);
}