Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Move auth method detection into script-land, to make it easier to change.

Browse source
This commit is contained in:
Vlad Grigorescu 2014-08-28 18:23:30 -04:00
parent 2698fcea8e
commit 0a50688afc
4 changed files with 24 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

23
src/analyzer/protocol/ssh/SSH.cc
View file

@ -68,7 +68,6 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
}
catch ( const binpac::Exception& e )
{
printf(" **** %s\n", e.c_msg());
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
}
}
@ -92,19 +91,18 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
relative_len = len - initial_client_packet_size;
else
relative_len = len - initial_server_packet_size;
// printf("Encrypted packet of length %d from %s.\n", len, orig?"client":"server");
if ( num_encrypted_packets_seen >= 4 )
{
int auth_result = AuthResult(relative_len, orig);
if ( auth_result > 0 )
{
num_encrypted_packets_seen = 1;
//printf("Have auth\n");
StringVal* method = new StringVal(AuthMethod(relative_len, orig));
if ( auth_result == 1 )
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method);
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
packet_n_1_size, packet_n_2_size);
if ( auth_result == 2 )
BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method);
BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
packet_n_1_size, packet_n_2_size);
}
}
if ( num_encrypted_packets_seen >= 2 )
@ -132,16 +130,3 @@ int SSH_Analyzer::AuthResult(int len, bool orig)
return -1;
}
const char* SSH_Analyzer::AuthMethod(int len, bool orig)
{
if ( packet_n_1_size == 96 ) // Password auth
return fmt("password (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
if ( packet_n_1_size == 32 && ( packet_n_2_size == 0 || packet_n_2_size == 48 ) ) // Challenge-response auth
return fmt("challenge-response (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
if ( packet_n_2_size >= 112 &&
packet_n_2_size <= 432 ) // Public key auth
return fmt("pubkey (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
if ( packet_n_2_size == 16 ) // Host-based auth
return fmt("host-based (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
return fmt("unknown (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
}

1
src/analyzer/protocol/ssh/SSH.h
View file

@ -44,7 +44,6 @@ protected:
void ProcessEncrypted(int len, bool orig);
int AuthResult(int len, bool orig);
const char* AuthMethod(int len, bool orig);
bool had_gap;

4
src/analyzer/protocol/ssh/events.bif
View file

@ -2,9 +2,9 @@ event ssh_server_version%(c: connection, version: string%);
event ssh_client_version%(c: connection, version: string%);
event ssh_auth_successful%(c: connection, method: string%);
event ssh_auth_successful%(c: connection, middle_packet_len: int, first_packet_len: int%);
event ssh_auth_failed%(c: connection, method: string%);
event ssh_auth_failed%(c: connection, middle_packet_len: int, first_packet_len: int%);
event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%);