From 1d57cd37271c7b287d7062998e18663d2f68ed70 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 16 Oct 2018 10:29:29 -0500 Subject: [PATCH] Fix SSH analyzer bug where is_server in capabilities is wrong. The ssh_capabilities event includes the capabilities reported by either the server or the client. The record also includes a field, is_server, so that scripts can determine which endpoint is reporting its capabilities. That field was being set incorrectly (it was being set as is_client rather than is_server, so it needed to be negated). This simple bug had some larger repercussions. RFC 4253 provides a method for client and server to agree on algorithms used in the SSH connection. Bro was calculating these incorrectly. Some of these, such as the encryption algorithm, are also used to determine whether or not Bro should attempt to detect successful versus failed authentications. In some cases, Bro would get this wrong, and make a guess when it could not correctly determine the authentication outcome. --- src/analyzer/protocol/ssh/ssh-analyzer.pac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index 0ee0b92569..ff53f10f09 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -101,7 +101,7 @@ refine flow SSH_Flow += { } - result->Assign(6, new Val(${msg.is_orig}, TYPE_BOOL)); + result->Assign(6, new Val(!${msg.is_orig}, TYPE_BOOL)); BifEvent::generate_ssh_capabilities(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.cookie}),