diff --git a/CHANGES b/CHANGES index 9a4d2fef91..f64a918bfa 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,11 @@ +2.3-911 | 2015-05-04 09:58:09 -0700 + + * Update usage output and list of command line options. (Daniel + Thayer) + + * Improve SIP logging and remove reporter messages. (Seth Hall) + 2.3-905 | 2015-04-29 17:01:30 -0700 * Improve SIP logging and remove reporter messages. (Seth Hall) diff --git a/VERSION b/VERSION index 31d0f6a691..077543de48 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3-905 +2.3-911 diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 6f76dcbb77..d9e1e2b3cf 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -118,7 +118,7 @@ event ssh_client_version(c: connection, version: string) c$ssh$version = 2; } -event ssh_auth_successful(c: connection, auth_method_none: bool) +event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5 { # TODO - what to do here? if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) ) @@ -146,7 +146,7 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5 } } -event ssh_auth_failed(c: connection) +event ssh_auth_failed(c: connection) &priority=5 { if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) ) return; diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro index feae86c8f6..7235f24199 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.bro @@ -12,14 +12,14 @@ export { ## notice will be generated. Watched_Country_Login, }; - + redef record Info += { ## Add geographic data related to the "remote" host of the ## connection. remote_location: geo_location &log &optional; }; - - ## The set of countries for which you'd like to generate notices upon + + ## The set of countries for which you'd like to generate notices upon ## successful login. const watched_countries: set[string] = {"RO"} &redef; } @@ -32,21 +32,27 @@ function get_location(c: connection): geo_location event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 { + if ( ! c$ssh?$direction ) + return; + # Add the location data to the SSH record. c$ssh$remote_location = get_location(c); - + if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries ) { NOTICE([$note=Watched_Country_Login, $conn=c, - $msg=fmt("SSH login %s watched country: %s", - (c$ssh$direction == OUTBOUND) ? "to" : "from", + $msg=fmt("SSH login %s watched country: %s", + (c$ssh$direction == OUTBOUND) ? "to" : "from", c$ssh$remote_location$country_code)]); } } event ssh_auth_failed(c: connection) &priority=3 { + if ( ! c$ssh?$direction ) + return; + # Add the location data to the SSH record. c$ssh$remote_location = get_location(c); } diff --git a/src/main.cc b/src/main.cc index 4b30d23e0a..61cc35f198 100644 --- a/src/main.cc +++ b/src/main.cc @@ -199,7 +199,7 @@ void usage() fprintf(stderr, " -T|--re-level | set 'RE_level' for rules\n"); fprintf(stderr, " -U|--status-file | Record process status in file\n"); fprintf(stderr, " -W|--watchdog | activate watchdog timer\n"); - fprintf(stderr, " -X|--broxygen | generate documentation based on config file\n"); + fprintf(stderr, " -X|--broxygen | generate documentation based on config file\n"); #ifdef USE_PERFTOOLS_DEBUG fprintf(stderr, " -m|--mem-leaks | show leaks [perftools]\n"); @@ -547,7 +547,7 @@ int main(int argc, char** argv) opterr = 0; char opts[256]; - safe_strncpy(opts, "B:e:f:I:i:J:K:n:p:R:r:s:T:t:U:w:x:X:z:CFGNPSWabdghvQ", + safe_strncpy(opts, "B:e:f:I:i:J:K:n:p:R:r:s:T:t:U:w:x:X:z:CFNPSWabdghvQ", sizeof(opts)); #ifdef USE_PERFTOOLS_DEBUG