Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix resp_size in ssh.log, require a minimum resp_size for the heuristic. Some work on geodata, but still a WIP.

Browse source
This commit is contained in:
Vlad Grigorescu 2013-11-05 11:34:32 -05:00
parent 886266e8af
commit 2cf90d986e
2 changed files with 24 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/ssh/main.bro
View file

@ -107,10 +107,10 @@ function check_ssh_connection(c: connection, done: bool)
# this matches the conditions for a failed login. Failed # this matches the conditions for a failed login. Failed
# logins are only detected at connection state removal. # logins are only detected at connection state removal.
if ( # Require originators to have sent at least 50 bytes. if ( # Require originators and responders to have sent at least 50 bytes.
c$orig$size > 50 && c$orig$size > 50 && c$resp$size > 50 &&
# Responders must be below 4000 bytes. # Responders must be below 4000 bytes.
c$resp$size < 4000 && c$resp$size < authentication_data_size &&
# Responder must have sent fewer than 40 packets. # Responder must have sent fewer than 40 packets.
c$resp$num_pkts < 40 && c$resp$num_pkts < 40 &&
# If there was a content gap we can't reliably do this heuristic. # If there was a content gap we can't reliably do this heuristic.
@ -122,7 +122,7 @@ function check_ssh_connection(c: connection, done: bool)
event SSH::heuristic_failed_login(c); event SSH::heuristic_failed_login(c);
} }
if ( c$resp$size > authentication_data_size ) if ( c$resp$size >= authentication_data_size )
{ {
c$ssh$status = "success"; c$ssh$status = "success";
event SSH::heuristic_successful_login(c); event SSH::heuristic_successful_login(c);
@ -132,7 +132,7 @@ function check_ssh_connection(c: connection, done: bool)
{ {
# If this connection is still being tracked, then it's possible # If this connection is still being tracked, then it's possible
# to watch for it to be a successful connection. # to watch for it to be a successful connection.
if ( c$resp$size > authentication_data_size ) if ( c$resp$size >= authentication_data_size )
{ {
c$ssh$status = "success"; c$ssh$status = "success";
event SSH::heuristic_successful_login(c); event SSH::heuristic_successful_login(c);
@ -150,8 +150,6 @@ function check_ssh_connection(c: connection, done: bool)
# after detection is done. # after detection is done.
c$ssh$done=T; c$ssh$done=T;
Log::write(SSH::LOG, c$ssh);
if ( skip_processing_after_detection ) if ( skip_processing_after_detection )
{ {
# Stop watching this connection, we don't care about it anymore. # Stop watching this connection, we don't care about it anymore.
@ -164,7 +162,11 @@ function check_ssh_connection(c: connection, done: bool)
event connection_state_remove(c: connection) &priority=-5 event connection_state_remove(c: connection) &priority=-5
{ {
if ( c?$ssh ) if ( c?$ssh )
{
check_ssh_connection(c, T); check_ssh_connection(c, T);
c$ssh$resp_size = c$resp$size;
Log::write(SSH::LOG, c$ssh);
}
} }
event ssh_watcher(c: connection) event ssh_watcher(c: connection)

22
scripts/policy/protocols/ssh/geo-data.bro
View file

@ -24,21 +24,29 @@ export {
const watched_countries: set[string] = {"RO"} &redef; const watched_countries: set[string] = {"RO"} &redef;
} }
function get_location(c: connection): geo_location
{
local lookup_ip = (c$ssh$direction == OUTBOUND) ? c$id$resp_h : c$id$orig_h;
return lookup_location(lookup_ip);
}
event SSH::heuristic_successful_login(c: connection) &priority=5 event SSH::heuristic_successful_login(c: connection) &priority=5
{ {
local location: geo_location;
location = (c$ssh$direction == OUTBOUND) ?
lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h);
# Add the location data to the SSH record. # Add the location data to the SSH record.
c$ssh$remote_location = location; c$ssh$remote_location = get_location(c);
if ( location?$country_code && location$country_code in watched_countries ) if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
{ {
NOTICE([$note=Watched_Country_Login, NOTICE([$note=Watched_Country_Login,
$conn=c, $conn=c,
$msg=fmt("SSH login %s watched country: %s", $msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from", (c$ssh$direction == OUTBOUND) ? "to" : "from",
location$country_code)]); c$ssh$remote_location$country_code)]);
} }
} }
event SSH::heuristic_failed_login(c: connection) &priority=5
{
# Add the location data to the SSH record.
c$ssh$remote_location = get_location(c);
}