Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix resp_size in ssh.log, require a minimum resp_size for the heuristic. Some work on geodata, but still a WIP.

Browse source
This commit is contained in:
Vlad Grigorescu 2013-11-05 11:34:32 -05:00
parent 886266e8af
commit 2cf90d986e
2 changed files with 24 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

22
scripts/policy/protocols/ssh/geo-data.bro
View file

@ -24,21 +24,29 @@ export {
const watched_countries: set[string] = {"RO"} &redef;
}
function get_location(c: connection): geo_location
{
local lookup_ip = (c$ssh$direction == OUTBOUND) ? c$id$resp_h : c$id$orig_h;
return lookup_location(lookup_ip);
}
event SSH::heuristic_successful_login(c: connection) &priority=5
{
local location: geo_location;
location = (c$ssh$direction == OUTBOUND) ?
lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h);
# Add the location data to the SSH record.
c$ssh$remote_location = location;
c$ssh$remote_location = get_location(c);
if ( location?$country_code && location$country_code in watched_countries )
if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
{
NOTICE([$note=Watched_Country_Login,
$conn=c,
$msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from",
location$country_code)]);
c$ssh$remote_location$country_code)]);
}
}
event SSH::heuristic_failed_login(c: connection) &priority=5
{
# Add the location data to the SSH record.
c$ssh$remote_location = get_location(c);
}