Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix SSH analyzer bug where is_server in capabilities is wrong.

Browse source 
The ssh_capabilities event includes the capabilities reported
by either the server or the client. The record also includes a field,
is_server, so that scripts can determine which endpoint is reporting
its capabilities. That field was being set incorrectly (it was being
set as is_client rather than is_server, so it needed to be negated).

This simple bug had some larger repercussions. RFC 4253 provides a
method for client and server to agree on algorithms used in the SSH
connection. Bro was calculating these incorrectly. Some of these, such
as the encryption algorithm, are also used to determine whether or not
Bro should attempt to detect successful versus failed
authentications. In some cases, Bro would get this wrong, and make a
guess when it could not correctly determine the authentication outcome.
This commit is contained in:
Vlad Grigorescu 2018-10-16 10:29:29 -05:00
parent c8637b7430
commit 1d57cd3727
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -101,7 +101,7 @@ refine flow SSH_Flow += {
} }
result->Assign(6, new Val(${msg.is_orig}, TYPE_BOOL)); result->Assign(6, new Val(!${msg.is_orig}, TYPE_BOOL));
BifEvent::generate_ssh_capabilities(connection()->bro_analyzer(), BifEvent::generate_ssh_capabilities(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.cookie}), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.cookie}),