Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Script-land changes for BIT-1641.

Browse source
This commit is contained in:
Vlad Grigorescu 2016-10-07 17:17:01 -05:00
parent 20aef04dc7
commit 2920366049
1 changed files with 14 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

36
scripts/base/protocols/ssh/main.bro
View file

@ -170,9 +170,8 @@ event ssh_client_version(c: connection, version: string)
c$ssh$version = 2; c$ssh$version = 2;
} }
event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5 event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
{ {
# TODO - what to do here?
if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) ) if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) )
return; return;
@ -180,41 +179,31 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) ) if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
return; return;
c$ssh$auth_success = T; c$ssh$auth_success = authenticated;
if ( c$ssh?$auth_attempts ) if ( c$ssh?$auth_attempts )
c$ssh$auth_attempts += 1; c$ssh$auth_attempts += 1;
else else
{
c$ssh$auth_attempts = 1; c$ssh$auth_attempts = 1;
if ( !authenticated )
event ssh_auth_failed(c);
}
if ( disable_analyzer_after_detection ) if ( authenticated && disable_analyzer_after_detection )
disable_analyzer(c$id, c$ssh$analyzer_id); disable_analyzer(c$id, c$ssh$analyzer_id);
} }
event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5 event ssh_auth_attempted(c: connection, authenticated: bool) &priority=-5
{ {
if ( c?$ssh && !c$ssh$logged ) if ( authenticated && c?$ssh && !c$ssh$logged )
{ {
event ssh_auth_result(c, authenticated, c$ssh$auth_attempts);
c$ssh$logged = T; c$ssh$logged = T;
Log::write(SSH::LOG, c$ssh); Log::write(SSH::LOG, c$ssh);
} }
} }
event ssh_auth_failed(c: connection) &priority=5
{
if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) )
return;
# We can't accurately tell for compressed streams
if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
return;
c$ssh$auth_success = F;
if ( c$ssh?$auth_attempts )
c$ssh$auth_attempts += 1;
else
c$ssh$auth_attempts = 1;
}
# Determine the negotiated algorithm # Determine the negotiated algorithm
function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string
{ {
@ -265,6 +254,9 @@ event connection_state_remove(c: connection) &priority=-5
{ {
if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server ) if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server )
{ {
if ( c$ssh?$auth_success )
event ssh_auth_result(c, c$ssh$auth_success, c$ssh$auth_attempts);
c$ssh$logged = T; c$ssh$logged = T;
Log::write(SSH::LOG, c$ssh); Log::write(SSH::LOG, c$ssh);
} }