SSH: Intel framework integration (PUBKEY_HASH)

scripts/base/frameworks/intel/main.bro

@@ -32,6 +32,8 @@ export {
 		FILE_NAME,
 		## Certificate SHA-1 hash.
 		CERT_HASH,
+		## Public key MD5 hash. (SSH server host keys are a good example.)
+		PUBKEY_HASH,
 	};
 	
 	## Data about an :bro:type:`Intel::Item`.

scripts/base/protocols/ssh/main.bro

@@ -55,6 +55,11 @@ export {
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
 	global log_ssh: event(rec: Info);
+
+	## Event that can be handled when the analyzer sees an SSH server host
+	## key. This abstracts :bro:id:`SSH::ssh1_server_host_key` and 
+	## :bro:id:`SSH::ssh2_server_host_key`.
+	global ssh_server_host_key: event(c: connection, hash string);
 }
 
 redef record Info += {
@@ -212,13 +217,12 @@ function generate_fingerprint(c: connection, key: string)
 	c$ssh$host_key = sub(join_string_vec(lx, ":"), /:/, "");
 	}
 
-event ssh1_server_host_key(c: connection, p: string, e: string)
+event ssh1_server_host_key(c: connection, p: string, e: string) &priority=5
 	{
 	generate_fingerprint(c, e + p);
 	}
 
-event ssh_server_host_key(c: connection, key: string)
+event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
-

scripts/policy/frameworks/intel/seen/pubkey-hashes.bro

@@ -0,0 +1,11 @@
+@load base/frameworks/intel
+@load ./where-locations
+
+event ssh_server_host_key(c: connection, hash: string)
+	{
+	local seen = Intel::Seen($indicator=hash,
+				 $indicator_type=Intel::PUBKEY_HASH,
+				 $conn=c,
+				 $where=SSH::IN_SERVER_HOST_KEY);
+	Intel::seen(seen);
+	}

scripts/policy/frameworks/intel/seen/where-locations.bro

@@ -21,6 +21,7 @@ export {
 		SMTP::IN_REPLY_TO,
 		SMTP::IN_X_ORIGINATING_IP_HEADER,
 		SMTP::IN_MESSAGE,
+		SSH::IN_SERVER_HOST_KEY,
 		SSL::IN_SERVER_NAME,
 		SMTP::IN_HEADER,
 		X509::IN_CERT,