mirror of
https://github.com/zeek/zeek.git
synced 2025-10-07 00:58:19 +00:00
Move auth method detection into script-land, to make it easier to change.
This commit is contained in:
Vlad Grigorescu
parent
2698fcea8e
commit
0a50688afc
4 changed files with 24 additions and 28 deletions
|
|
@ -22,7 +22,7 @@ export {
|
|||
host_key: string &log &optional;
|
||||
## Auth result
|
||||
result: string &log &optional;
|
||||
## Auth method
|
||||
## Auth method (password, pubkey, etc.)
|
||||
method: string &log &optional;
|
||||
};
|
||||
|
||||
|
|
@ -70,21 +70,34 @@ event ssh_client_version(c: connection, version: string)
|
|||
c$ssh$client = version;
|
||||
}
|
||||
|
||||
event ssh_auth_successful(c: connection, method: string)
|
||||
function determine_auth_method(middle_pkt_len: int, first_pkt_len: int): string
|
||||
{
|
||||
if ( middle_pkt_len == 96 )
|
||||
return "password";
|
||||
if ( ( middle_pkt_len == 32 ) && ( first_pkt_len == 0 || first_pkt_len == 48 ) )
|
||||
return "challenge-response";
|
||||
if ( ( first_pkt_len >= 112 ) && ( first_pkt_len <= 432 ) )
|
||||
return "pubkey";
|
||||
if ( first_pkt_len == 16 )
|
||||
return "host-based";
|
||||
return fmt("unknown (mid=%d, first=%d)", middle_pkt_len, first_pkt_len);
|
||||
}
|
||||
|
||||
event ssh_auth_successful(c: connection, middle_pkt_len: int, first_pkt_len: int)
|
||||
{
|
||||
if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
|
||||
return;
|
||||
c$ssh$result = "success";
|
||||
c$ssh$method = method;
|
||||
c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
|
||||
Log::write(SSH::LOG, c$ssh);
|
||||
}
|
||||
|
||||
event ssh_auth_failed(c: connection, method: string)
|
||||
event ssh_auth_failed(c: connection, middle_pkt_len: int, first_pkt_len: int)
|
||||
{
|
||||
if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
|
||||
return;
|
||||
c$ssh$result = "failure";
|
||||
c$ssh$method = method;
|
||||
c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
|
||||
Log::write(SSH::LOG, c$ssh);
|
||||
}
|
||||
|
||||
|
|
@ -93,7 +106,6 @@ event connection_closed(c: connection)
|
|||
if ( c?$ssh && !c$ssh?$result )
|
||||
{
|
||||
c$ssh$result = "unknown";
|
||||
c$ssh$method = "unknown";
|
||||
Log::write(SSH::LOG, c$ssh);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -68,7 +68,6 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
|
|||
}
|
||||
catch ( const binpac::Exception& e )
|
||||
{
|
||||
printf(" **** %s\n", e.c_msg());
|
||||
ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
|
||||
}
|
||||
}
|
||||
|
|
@ -92,19 +91,18 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
|
|||
relative_len = len - initial_client_packet_size;
|
||||
else
|
||||
relative_len = len - initial_server_packet_size;
|
||||
// printf("Encrypted packet of length %d from %s.\n", len, orig?"client":"server");
|
||||
if ( num_encrypted_packets_seen >= 4 )
|
||||
{
|
||||
int auth_result = AuthResult(relative_len, orig);
|
||||
if ( auth_result > 0 )
|
||||
{
|
||||
num_encrypted_packets_seen = 1;
|
||||
//printf("Have auth\n");
|
||||
StringVal* method = new StringVal(AuthMethod(relative_len, orig));
|
||||
if ( auth_result == 1 )
|
||||
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method);
|
||||
BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
|
||||
packet_n_1_size, packet_n_2_size);
|
||||
if ( auth_result == 2 )
|
||||
BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), method);
|
||||
BifEvent::generate_ssh_auth_failed(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
|
||||
packet_n_1_size, packet_n_2_size);
|
||||
}
|
||||
}
|
||||
if ( num_encrypted_packets_seen >= 2 )
|
||||
|
|
@ -132,16 +130,3 @@ int SSH_Analyzer::AuthResult(int len, bool orig)
|
|||
return -1;
|
||||
}
|
||||
|
||||
const char* SSH_Analyzer::AuthMethod(int len, bool orig)
|
||||
{
|
||||
if ( packet_n_1_size == 96 ) // Password auth
|
||||
return fmt("password (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
|
||||
if ( packet_n_1_size == 32 && ( packet_n_2_size == 0 || packet_n_2_size == 48 ) ) // Challenge-response auth
|
||||
return fmt("challenge-response (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
|
||||
if ( packet_n_2_size >= 112 &&
|
||||
packet_n_2_size <= 432 ) // Public key auth
|
||||
return fmt("pubkey (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
|
||||
if ( packet_n_2_size == 16 ) // Host-based auth
|
||||
return fmt("host-based (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
|
||||
return fmt("unknown (L=%d, L-1=%d, L-2=%d)", len, packet_n_1_size, packet_n_2_size);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -44,7 +44,6 @@ protected:
|
|||
|
||||
void ProcessEncrypted(int len, bool orig);
|
||||
int AuthResult(int len, bool orig);
|
||||
const char* AuthMethod(int len, bool orig);
|
||||
|
||||
bool had_gap;
|
||||
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@ event ssh_server_version%(c: connection, version: string%);
|
|||
|
||||
event ssh_client_version%(c: connection, version: string%);
|
||||
|
||||
event ssh_auth_successful%(c: connection, method: string%);
|
||||
event ssh_auth_successful%(c: connection, middle_packet_len: int, first_packet_len: int%);
|
||||
|
||||
event ssh_auth_failed%(c: connection, method: string%);
|
||||
event ssh_auth_failed%(c: connection, middle_packet_len: int, first_packet_len: int%);
|
||||
|
||||
event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue