Rename all scripts to have ".zeek" file extension

2025-10-16 05:28:20 +00:00 · 2019-04-11 21:12:40 -05:00 · 2019-04-11 21:12:40 -05:00 · 18bd74454b
commit 18bd74454b
parent 537d9cab97
357 changed files with 169 additions and 169 deletions
--- a/scripts/base/protocols/ssh/main.zeek
+++ b/scripts/base/protocols/ssh/main.zeek
@ -0,0 +1,313 @@
+##! Implements base functionality for SSH analysis. Generates the ssh.log file.
+
+@load base/utils/directions-and-hosts
+
+module SSH;
+
+export {
+	## The SSH protocol logging stream identifier.
+	redef enum Log::ID += { LOG };
+
+	## The record type which contains the fields of the SSH log.
+	type Info: record {
+		## Time when the SSH connection began.
+		ts:              time         &log;
+		## Unique ID for the connection.
+		uid:             string       &log;
+		## The connection's 4-tuple of endpoint addresses/ports.
+		id:              conn_id      &log;
+		## SSH major version (1 or 2)
+		version:         count        &log;
+		## Authentication result (T=success, F=failure, unset=unknown)
+		auth_success:    bool         &log &optional;
+		## The number of authentication attemps we observed. There's always
+		## at least one, since some servers might support no authentication at all.
+		## It's important to note that not all of these are failures, since
+		## some servers require two-factor auth (e.g. password AND pubkey)
+		auth_attempts:   count        &log &default=0;
+		## Direction of the connection. If the client was a local host
+		## logging into an external host, this would be OUTBOUND. INBOUND
+		## would be set for the opposite situation.
+		# TODO - handle local-local and remote-remote better.
+		direction:       Direction    &log &optional;
+		## The client's version string
+		client:          string       &log &optional;
+		## The server's version string
+		server:          string       &log &optional;
+		## The encryption algorithm in use
+		cipher_alg:      string       &log &optional;
+		## The signing (MAC) algorithm in use
+		mac_alg:         string       &log &optional;
+		## The compression algorithm in use
+		compression_alg: string       &log &optional;
+		## The key exchange algorithm in use
+		kex_alg:         string       &log &optional;
+		## The server host key's algorithm
+		host_key_alg:    string       &log &optional;
+		## The server's key fingerprint
+		host_key:        string       &log &optional;
+	};
+
+	## The set of compression algorithms. We can't accurately determine
+	## authentication success or failure when compression is enabled.
+	option compression_algorithms = set("zlib", "zlib@openssh.com");
+
+	## If true, after detection detach the SSH analyzer from the connection
+	## to prevent continuing to process encrypted traffic. Helps with performance
+	## (especially with large file transfers).
+	option disable_analyzer_after_detection = T;
+
+	## Event that can be handled to access the SSH record as it is sent on
+	## to the logging framework.
+	global log_ssh: event(rec: Info);
+}
+
+module GLOBAL;
+export {
+	## This event is generated when an :abbr:`SSH (Secure Shell)`
+	## connection was determined to have had a failed authentication. This
+	## determination is based on packet size analysis, and errs on the
+	## side of caution - that is, if there's any doubt about the
+	## authentication failure, this event is *not* raised.
+	##
+	## This event is only raised once per connection.
+	##
+	## c: The connection over which the :abbr:`SSH (Secure Shell)`
+	##    connection took place.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_result ssh_auth_attempted
+	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
+	global ssh_auth_failed: event(c: connection);
+
+	## This event is generated when a determination has been made about
+	## the final authentication result of an :abbr:`SSH (Secure Shell)`
+	## connection. This determination is based on packet size analysis,
+	## and errs on the side of caution - that is, if there's any doubt
+	## about the result of the authentication, this event is *not* raised.
+	##
+	## This event is only raised once per connection.
+	##
+	## c: The connection over which the :abbr:`SSH (Secure Shell)`
+	##    connection took place.
+	##
+	## result: True if the authentication was successful, false if not.
+	##
+	## auth_attempts: The number of authentication attempts that were
+	##    observed.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_failed ssh_auth_attempted
+	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
+	global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count);
+
+	## Event that can be handled when the analyzer sees an SSH server host
+	## key. This abstracts :bro:id:`ssh1_server_host_key` and
+	## :bro:id:`ssh2_server_host_key`.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+	##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+	##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
+	global ssh_server_host_key: event(c: connection, hash: string);
+}
+
+module SSH;
+
+redef record Info += {
+	# This connection has been logged (internal use)
+	logged:       bool         &default=F;
+	# Store capabilities from the first host for
+	# comparison with the second (internal use)
+	capabilities: Capabilities &optional;
+	## Analzyer ID
+	analyzer_id: count         &optional;
+};
+
+redef record connection += {
+	ssh: Info &optional;
+};
+
+const ports = { 22/tcp };
+redef likely_server_ports += { ports };
+
+event bro_init() &priority=5
+	{
+	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
+	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]);
+	}
+
+function set_session(c: connection)
+	{
+	if ( ! c?$ssh )
+		{
+		local info: SSH::Info;
+		info$ts  = network_time();
+		info$uid = c$uid;
+		info$id  = c$id;
+
+		# If both hosts are local or non-local, we can't reliably set a direction.
+		if ( Site::is_local_addr(c$id$orig_h) != Site::is_local_addr(c$id$resp_h) )
+			info$direction = Site::is_local_addr(c$id$orig_h) ? OUTBOUND: INBOUND;
+		c$ssh = info;
+		}
+	}
+
+event ssh_server_version(c: connection, version: string)
+	{
+	set_session(c);
+	c$ssh$server = version;
+	}
+
+event ssh_client_version(c: connection, version: string)
+	{
+	set_session(c);
+	c$ssh$client = version;
+
+	if ( ( |version| > 3 ) && ( version[4] == "1" ) )
+		c$ssh$version = 1;
+	if ( ( |version| > 3 ) && ( version[4] == "2" ) )
+		c$ssh$version = 2;
+	}
+
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
+	{
+	if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) )
+		return;
+
+	# We can't accurately tell for compressed streams
+	if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
+		return;
+
+	c$ssh$auth_success = authenticated;
+	c$ssh$auth_attempts += 1;
+
+	if ( authenticated && disable_analyzer_after_detection )
+		disable_analyzer(c$id, c$ssh$analyzer_id);
+	}
+
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=-5
+	{
+	if ( authenticated && c?$ssh && !c$ssh$logged )
+		{
+		event ssh_auth_result(c, authenticated, c$ssh$auth_attempts);
+		c$ssh$logged = T;
+		Log::write(SSH::LOG, c$ssh);
+		}
+	}
+
+# Determine the negotiated algorithm
+function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string
+	{
+	for ( i in client_algorithms )
+		for ( j in server_algorithms )
+			if ( client_algorithms[i] == server_algorithms[j] )
+				return client_algorithms[i];
+	return "Algorithm negotiation failed";
+	}
+
+# This is a simple wrapper around find_alg for cases where client to server and server to client
+# negotiate different algorithms. This is rare, but provided for completeness.
+function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Algorithm_Prefs): string
+	{
+	local c_to_s = find_alg(client_prefs$client_to_server, server_prefs$client_to_server);
+	local s_to_c = find_alg(client_prefs$server_to_client, server_prefs$server_to_client);
+
+	# Usually these are the same, but if they're not, return the details
+	return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c);
+	}
+
+event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities)
+	{
+	if ( !c?$ssh || ( c$ssh?$capabilities && c$ssh$capabilities$is_server == capabilities$is_server ) )
+		return;
+
+	if ( !c$ssh?$capabilities )
+		{
+		c$ssh$capabilities = capabilities;
+		return;
+		}
+
+	local client_caps = capabilities$is_server ? c$ssh$capabilities : capabilities;
+	local server_caps = capabilities$is_server ? capabilities : c$ssh$capabilities;
+
+	c$ssh$cipher_alg      = find_bidirectional_alg(client_caps$encryption_algorithms,
+	                                               server_caps$encryption_algorithms);
+	c$ssh$mac_alg         = find_bidirectional_alg(client_caps$mac_algorithms,
+	                                               server_caps$mac_algorithms);
+	c$ssh$compression_alg = find_bidirectional_alg(client_caps$compression_algorithms,
+	                                               server_caps$compression_algorithms);
+	c$ssh$kex_alg         = find_alg(client_caps$kex_algorithms, server_caps$kex_algorithms);	
+	c$ssh$host_key_alg    = find_alg(client_caps$server_host_key_algorithms,
+	                                 server_caps$server_host_key_algorithms);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	if ( c?$ssh && !c$ssh$logged )
+		{
+		# Do we have enough information to make a determination about auth success?
+		if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
+			{
+			# Successes get logged immediately. To protect against a race condition, we'll double check:
+			if ( c$ssh$auth_success )
+				return;
+
+			# Now that we know it's a failure, we'll raise the event.
+			event ssh_auth_failed(c);
+			}
+		# If not, we'll just log what we have
+		else
+			{
+			c$ssh$logged = T;
+			Log::write(SSH::LOG, c$ssh);
+			}
+		}
+	}
+
+event ssh_auth_failed(c: connection) &priority=-5
+	{
+	# This should not happen; prevent double-logging just in case
+	if ( ! c?$ssh || c$ssh$logged )
+		return;
+
+	c$ssh$logged = T;
+	Log::write(SSH::LOG, c$ssh);
+
+	event ssh_auth_result(c, F, c$ssh$auth_attempts);
+	}
+
+
+function generate_fingerprint(c: connection, key: string)
+	{
+	if ( !c?$ssh )
+		return;
+
+	local lx = str_split(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30));
+	lx[0] = "";
+	c$ssh$host_key = sub(join_string_vec(lx, ":"), /:/, "");
+	}
+
+event ssh1_server_host_key(c: connection, p: string, e: string) &priority=5
+	{
+	generate_fingerprint(c, e + p);
+	}
+
+event ssh2_server_host_key(c: connection, key: string) &priority=5
+	{
+	generate_fingerprint(c, key);
+	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+	{
+	if ( atype == Analyzer::ANALYZER_SSH )
+		{
+		set_session(c);
+		c$ssh$analyzer_id = aid;
+		}
+	}