Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 22:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote-tracking branch 'origin/fastpath'

Browse source 
* origin/fastpath:
  Update usage output and list of cmd-line options
  A small fix to ssh/geo-data.bro. ssh can now be unset for local-local or remote-remote, so make the script deal with this.
This commit is contained in:
Robin Sommer 2015-05-04 09:58:09 -07:00
commit 190df47c4b
5 changed files with 24 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -1,4 +1,11 @@
2.3-911 | 2015-05-04 09:58:09 -0700
* Update usage output and list of command line options. (Daniel
Thayer)
* Improve SIP logging and remove reporter messages. (Seth Hall)
2.3-905 | 2015-04-29 17:01:30 -0700 2.3-905 | 2015-04-29 17:01:30 -0700
* Improve SIP logging and remove reporter messages. (Seth Hall) * Improve SIP logging and remove reporter messages. (Seth Hall)

2
VERSION
View file

@ -1 +1 @@
2.3-905 2.3-911

4
scripts/base/protocols/ssh/main.bro
View file

@ -118,7 +118,7 @@ event ssh_client_version(c: connection, version: string)
c$ssh$version = 2; c$ssh$version = 2;
} }
event ssh_auth_successful(c: connection, auth_method_none: bool) event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
{ {
# TODO - what to do here? # TODO - what to do here?
if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) ) if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) )
@ -146,7 +146,7 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
} }
} }
event ssh_auth_failed(c: connection) event ssh_auth_failed(c: connection) &priority=5
{ {
if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) ) if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) )
return; return;

18
scripts/policy/protocols/ssh/geo-data.bro
View file

@ -12,14 +12,14 @@ export {
## notice will be generated. ## notice will be generated.
Watched_Country_Login, Watched_Country_Login,
}; };
redef record Info += { redef record Info += {
## Add geographic data related to the "remote" host of the ## Add geographic data related to the "remote" host of the
## connection. ## connection.
remote_location: geo_location &log &optional; remote_location: geo_location &log &optional;
}; };
## The set of countries for which you'd like to generate notices upon ## The set of countries for which you'd like to generate notices upon
## successful login. ## successful login.
const watched_countries: set[string] = {"RO"} &redef; const watched_countries: set[string] = {"RO"} &redef;
} }
@ -32,21 +32,27 @@ function get_location(c: connection): geo_location
event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
{ {
if ( ! c$ssh?$direction )
return;
# Add the location data to the SSH record. # Add the location data to the SSH record.
c$ssh$remote_location = get_location(c); c$ssh$remote_location = get_location(c);
if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries ) if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
{ {
NOTICE([$note=Watched_Country_Login, NOTICE([$note=Watched_Country_Login,
$conn=c, $conn=c,
$msg=fmt("SSH login %s watched country: %s", $msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from", (c$ssh$direction == OUTBOUND) ? "to" : "from",
c$ssh$remote_location$country_code)]); c$ssh$remote_location$country_code)]);
} }
} }
event ssh_auth_failed(c: connection) &priority=3 event ssh_auth_failed(c: connection) &priority=3
{ {
if ( ! c$ssh?$direction )
return;
# Add the location data to the SSH record. # Add the location data to the SSH record.
c$ssh$remote_location = get_location(c); c$ssh$remote_location = get_location(c);
} }

4
src/main.cc
View file

@ -199,7 +199,7 @@ void usage()
fprintf(stderr, " -T|--re-level <level> | set 'RE_level' for rules\n"); fprintf(stderr, " -T|--re-level <level> | set 'RE_level' for rules\n");
fprintf(stderr, " -U|--status-file <file> | Record process status in file\n"); fprintf(stderr, " -U|--status-file <file> | Record process status in file\n");
fprintf(stderr, " -W|--watchdog | activate watchdog timer\n"); fprintf(stderr, " -W|--watchdog | activate watchdog timer\n");
fprintf(stderr, " -X|--broxygen | generate documentation based on config file\n"); fprintf(stderr, " -X|--broxygen <cfgfile> | generate documentation based on config file\n");
#ifdef USE_PERFTOOLS_DEBUG #ifdef USE_PERFTOOLS_DEBUG
fprintf(stderr, " -m|--mem-leaks | show leaks [perftools]\n"); fprintf(stderr, " -m|--mem-leaks | show leaks [perftools]\n");
@ -547,7 +547,7 @@ int main(int argc, char** argv)
opterr = 0; opterr = 0;
char opts[256]; char opts[256];
safe_strncpy(opts, "B:e:f:I:i:J:K:n:p:R:r:s:T:t:U:w:x:X:z:CFGNPSWabdghvQ", safe_strncpy(opts, "B:e:f:I:i:J:K:n:p:R:r:s:T:t:U:w:x:X:z:CFNPSWabdghvQ",
sizeof(opts)); sizeof(opts));
#ifdef USE_PERFTOOLS_DEBUG #ifdef USE_PERFTOOLS_DEBUG