SSH: Various updates.

2025-10-10 02:28:21 +00:00 · 2014-04-22 18:26:39 -04:00 · 2014-04-22 18:26:39 -04:00 · 2698fcea8e
commit 2698fcea8e
parent 78b5f6b94b
6 changed files with 126 additions and 50 deletions
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@ -3,8 +3,34 @@
 refine flow SSH_Flow += {
 	function proc_ssh_version(msg: SSH_Version): bool
 		%{
-		BifEvent::generate_ssh_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), ${msg.is_orig},
-					       bytestring_to_val(${msg.version}));
+		if ( ssh_client_version && ${msg.is_orig } )
+			BifEvent::generate_ssh_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.version}));
+		else if ( ssh_server_version ) 
+			BifEvent::generate_ssh_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.version}));		
+		return true;
+		%}
+
+	function proc_ssh_kexinit(msg: SSH_KEXINIT): bool
+		%{
+		if ( ssh_server_capabilities )
+			BifEvent::generate_ssh_server_capabilities(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(),
+						   bytestring_to_val(${msg.kex_algorithms}), bytestring_to_val(${msg.server_host_key_algorithms}),
+						   bytestring_to_val(${msg.encryption_algorithms_client_to_server}), 
+						   bytestring_to_val(${msg.encryption_algorithms_server_to_client}), 
+						   bytestring_to_val(${msg.mac_algorithms_client_to_server}), 
+						   bytestring_to_val(${msg.mac_algorithms_server_to_client}), 
+						   bytestring_to_val(${msg.compression_algorithms_client_to_server}), 
+						   bytestring_to_val(${msg.compression_algorithms_server_to_client}), 
+						   bytestring_to_val(${msg.languages_client_to_server}), 
+						   bytestring_to_val(${msg.languages_server_to_client}));
+		return true;
+		%}
+
+	function proc_ssh_server_host_key(key: bytestring): bool
+		%{
+		if ( ssh_server_host_key )
+			BifEvent::generate_ssh_server_host_key(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), 
+						  		bytestring_to_val(${key}));
 		return true;
 		%}

@ -14,12 +40,30 @@ refine flow SSH_Flow += {
 		return true;
 		%}

+	function debug(loc: uint8): bool
+		%{
+		printf("DEBUG: %d", loc);
+		return true;
+		%}
+
 };

 refine typeattr SSH_Version += &let {
 	proc: bool = $context.flow.proc_ssh_version(this);
 };

+refine typeattr SSH_KEXINIT += &let {
+	proc: bool = $context.flow.proc_ssh_kexinit(this);
+};
+
+refine typeattr SSH_DH_GEX_REPLY += &let {
+	proc: bool = $context.flow.proc_ssh_server_host_key(k_s.val);
+};
+
+refine typeattr SSH_DH_GEX_GROUP += &let {
+	proc: bool = $context.flow.proc_ssh_server_host_key(p.val);
+};
+
 refine typeattr SSH_Message += &let {
 	proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == SSH_MSG_NEWKEYS);
-};
+};