Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-07 09:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Move auth method detection into script-land, to make it easier to change.

Browse source
This commit is contained in:
Vlad Grigorescu 2014-08-28 18:23:30 -04:00
parent 2698fcea8e
commit 0a50688afc
4 changed files with 24 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

24
scripts/base/protocols/ssh/main.bro
View file

@ -22,7 +22,7 @@ export {
host_key: string &log &optional; host_key: string &log &optional;
## Auth result ## Auth result
result: string &log &optional; result: string &log &optional;
## Auth method ## Auth method (password, pubkey, etc.)
method: string &log &optional; method: string &log &optional;
}; };
@ -70,21 +70,34 @@ event ssh_client_version(c: connection, version: string)
c$ssh$client = version; c$ssh$client = version;
} }
event ssh_auth_successful(c: connection, method: string) function determine_auth_method(middle_pkt_len: int, first_pkt_len: int): string
{
if ( middle_pkt_len == 96 )
return "password";
if ( ( middle_pkt_len == 32 ) && ( first_pkt_len == 0 || first_pkt_len == 48 ) )
return "challenge-response";
if ( ( first_pkt_len >= 112 ) && ( first_pkt_len <= 432 ) )
return "pubkey";
if ( first_pkt_len == 16 )
return "host-based";
return fmt("unknown (mid=%d, first=%d)", middle_pkt_len, first_pkt_len);
}
event ssh_auth_successful(c: connection, middle_pkt_len: int, first_pkt_len: int)
{ {
if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) ) if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
return; return;
c$ssh$result = "success"; c$ssh$result = "success";
c$ssh$method = method; c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
Log::write(SSH::LOG, c$ssh); Log::write(SSH::LOG, c$ssh);
} }
event ssh_auth_failed(c: connection, method: string) event ssh_auth_failed(c: connection, middle_pkt_len: int, first_pkt_len: int)
{ {
if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) ) if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
return; return;
c$ssh$result = "failure"; c$ssh$result = "failure";
c$ssh$method = method; c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
Log::write(SSH::LOG, c$ssh); Log::write(SSH::LOG, c$ssh);
} }
@ -93,7 +106,6 @@ event connection_closed(c: connection)
if ( c?$ssh && !c$ssh?$result ) if ( c?$ssh && !c$ssh?$result )
{ {
c$ssh$result = "unknown"; c$ssh$result = "unknown";
c$ssh$method = "unknown";
Log::write(SSH::LOG, c$ssh); Log::write(SSH::LOG, c$ssh);
} }
} }

23
src/analyzer/protocol/ssh/SSH.cc
View file

@ -68,7 +68,6 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
} }
catch ( const binpac::Exception& e ) catch ( const binpac::Exception& e )
{ {
printf(" **** %s\n", e.c_msg());
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg())); ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
} }
} }
@ -92,19 +91,18 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
relative_len = len - initial_client_packet_size; relative_len = len - initial_client_packet_size;
else else
relative_len = len - initial_server_packet_size; relative_len = len - initial_server_packet_size;
// printf("Encrypted packet of length %d from %s.\n", len, orig?"client":"server");
if ( num_encrypted_packets_seen >= 4 ) if ( num_encrypted_packets_seen >= 4 )
{ {
int auth_result = AuthResult(relative_len, orig); int auth_result = AuthResult(relative_len, orig);
if ( auth_result > 0 ) if ( auth_result > 0 )
{ {
num_encrypted_packets_seen = 1; num_encrypted_packets_seen = 1;
//printf("Have auth\n");
StringVal* method = new StringVal(AuthMethod(relative_len, orig));
if ( auth_result == 1 ) if ( auth_result == 1 )
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method); BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
packet_n_1_size, packet_n_2_size);
if ( auth_result == 2 ) if ( auth_result == 2 )
BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method); BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
packet_n_1_size, packet_n_2_size);
} }
} }
if ( num_encrypted_packets_seen >= 2 ) if ( num_encrypted_packets_seen >= 2 )
@ -132,16 +130,3 @@ int SSH_Analyzer::AuthResult(int len, bool orig)
return -1; return -1;
} }
const char* SSH_Analyzer::AuthMethod(int len, bool orig)
{
if ( packet_n_1_size == 96 ) // Password auth
return fmt("password (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
if ( packet_n_1_size == 32 && ( packet_n_2_size == 0 || packet_n_2_size == 48 ) ) // Challenge-response auth
return fmt("challenge-response (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
if ( packet_n_2_size >= 112 &&
packet_n_2_size <= 432 ) // Public key auth
return fmt("pubkey (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
if ( packet_n_2_size == 16 ) // Host-based auth
return fmt("host-based (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
return fmt("unknown (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
}

1
src/analyzer/protocol/ssh/SSH.h
View file

@ -44,7 +44,6 @@ protected:
void ProcessEncrypted(int len, bool orig); void ProcessEncrypted(int len, bool orig);
int AuthResult(int len, bool orig); int AuthResult(int len, bool orig);
const char* AuthMethod(int len, bool orig);
bool had_gap; bool had_gap;

4
src/analyzer/protocol/ssh/events.bif
View file

@ -2,9 +2,9 @@ event ssh_server_version%(c: connection, version: string%);
event ssh_client_version%(c: connection, version: string%); event ssh_client_version%(c: connection, version: string%);
event ssh_auth_successful%(c: connection, method: string%); event ssh_auth_successful%(c: connection, middle_packet_len: int, first_packet_len: int%);
event ssh_auth_failed%(c: connection, method: string%); event ssh_auth_failed%(c: connection, middle_packet_len: int, first_packet_len: int%);
event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%); event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%);