Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

ssh: Test for c$ssh$analyzer_id existence

Browse source 
While unusual, analyzer_confirmation() may never be called for the
SSH analyzer, but still ssh_auth_attempted is invoked later indicating
successful authentication. I haven't checked how that is actually possible,
but seems prudent to check for the existence of c$ssh$analyzer_id before
referencing it (also in light of runtime enable/disabling of events).

This was found testing Tim's all-the-fuzzing branch on large system,
merging this should avoid oss-fuzz telling us about it.

    $ zeek -C -r ./e83db.pcap 'DPD::ignore_violations+={ Analyzer::ANALYZER_SSH }'
    1668610572.429058 expression error in scripts/base/protocols/ssh/./main.zeek, line 260: field value missing (SSH::c$ssh$analyzer_id)
This commit is contained in:
Arne Welzel 2022-11-16 16:26:40 +01:00
parent ec3eca0549
commit 187096d4a4
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/ssh/main.zeek
View file

@ -249,7 +249,7 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
c$ssh$auth_success = authenticated; c$ssh$auth_success = authenticated;
c$ssh$auth_attempts += 1; c$ssh$auth_attempts += 1;
if ( authenticated && disable_analyzer_after_detection ) if ( authenticated && disable_analyzer_after_detection && c$ssh?$analyzer_id )
disable_analyzer(c$id, c$ssh$analyzer_id); disable_analyzer(c$id, c$ssh$analyzer_id);
} }