Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add host key support for SSH1.

Browse source
This commit is contained in:
Vlad Grigorescu 2015-01-06 21:23:18 -06:00
parent 5e206ed108
commit 245bd07af7
3 changed files with 36 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

21
scripts/base/protocols/ssh/main.bro
View file

@ -186,11 +186,24 @@ event connection_state_remove(c: connection) &priority=-5
Log::write(SSH::LOG, c$ssh); Log::write(SSH::LOG, c$ssh);
} }
function generate_fingerprint(c: connection, key: string)
{
local lx = str_split(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30));
lx[0] = "";
c$ssh$host_key = sub(join_string_vec(lx, ":"), /:/, "");
}
event ssh1_server_host_key(c: connection, p: string, e: string)
{
if ( !c?$ssh )
return;
generate_fingerprint(c, e + p);
}
event ssh_server_host_key(c: connection, key: string) event ssh_server_host_key(c: connection, key: string)
{ {
if ( !c?$ssh ) if ( !c?$ssh )
return; return;
local lx = str_split(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30)); generate_fingerprint(c, key);
lx[0] = ""; }
c$ssh$host_key = sub(join_string_vec(lx, ":"), /:/, "");
}

4
src/analyzer/protocol/ssh/events.bif
View file

@ -8,4 +8,6 @@ event ssh_auth_failed%(c: connection, last_packet_len: int, middle_packet_len: i
event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%); event ssh_server_capabilities%(c: connection, kex_algorithms: string, server_host_key_algorithms: string, encryption_algorithms_client_to_server: string, encryption_algorithms_server_to_client: string, mac_algorithms_client_to_server: string, mac_algorithms_server_to_client: string, compression_algorithms_client_to_server: string, compression_algorithms_server_to_client: string, languages_client_to_server: string, languages_server_to_client: string%);
event ssh_server_host_key%(c: connection, key: string%); event ssh_server_host_key%(c: connection, key: string%);
event ssh1_server_host_key%(c: connection, p: string, e: string%);

16
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -47,6 +47,18 @@ refine flow SSH_Flow += {
return true; return true;
%} %}
function proc_ssh1_server_host_key(p: bytestring, e: bytestring): bool
%{
if ( ssh_server_host_key )
{
BifEvent::generate_ssh1_server_host_key(connection()->bro_analyzer(),
connection()->bro_analyzer()->Conn(),
bytestring_to_val(${p}),
bytestring_to_val(${e}));
}
return true;
%}
function proc_newkeys(): bool function proc_newkeys(): bool
%{ %{
connection()->bro_analyzer()->ProtocolConfirmation(); connection()->bro_analyzer()->ProtocolConfirmation();
@ -73,4 +85,8 @@ refine typeattr SSH1_Message += &let {
refine typeattr SSH2_Message += &let { refine typeattr SSH2_Message += &let {
proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == MSG_NEWKEYS); proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == MSG_NEWKEYS);
};
refine typeattr SSH1_PUBLIC_KEY += &let {
proc: bool = $context.flow.proc_ssh1_server_host_key(host_key_p.val, host_key_e.val);
}; };