From 46f727a6fa327e09d246d02148a2f5141512bc5a Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 23 Oct 2018 10:35:18 -0500 Subject: [PATCH 1/2] Generate ssh_auth_attempted for the 'none' authentication method. ssh_auth_attempted sets some requisite fields that ssh_auth_successful relies on. ssh_auth_attempted wasn't getting called because of a logic error. For a more complete discussion of this issue, see: https://github.com/bro/bro/issues/192 --- src/analyzer/protocol/ssh/SSH.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc index 3b94f1f26c..3f87052d30 100644 --- a/src/analyzer/protocol/ssh/SSH.cc +++ b/src/analyzer/protocol/ssh/SSH.cc @@ -106,6 +106,8 @@ void SSH_Analyzer::ProcessEncrypted(int len, bool orig) if ( ! userauth_failure_size && (len + 16 == service_accept_size) ) { auth_decision_made = true; + if ( ssh_auth_attempted ) + BifEvent::generate_ssh_auth_attempted(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); if ( ssh_auth_successful ) BifEvent::generate_ssh_auth_successful(interp->bro_analyzer(), interp->bro_analyzer()->Conn(), true); return; From 91a74c72008eccbe450d8e6fcb6da0234d86c241 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Tue, 23 Oct 2018 10:49:53 -0500 Subject: [PATCH 2/2] Update btest baselines for fix in 46f727a6fa327e09d246d02148a2f5141512bc5a --- .../btest/Baseline/scripts.base.protocols.ssh.basic/.stdout | 1 + .../btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout index 9b9aca0d64..02859c6632 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/.stdout @@ -1,5 +1,6 @@ auth_result, ClEkJM2Vm5giqnMf4h, T, 1 auth_result, C4J4Th3PJpwUYZZ6gc, T, 3 +auth_result, CUM0KZ3MLUfNB0cl11, T, 1 auth_result, Ck51lg1bScffFj34Ri, T, 2 auth_result, C9mvWx3ezztgzcexV7, T, 5 auth_result, CNnMIj2QSd84NKf7U3, T, 1 diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log index 473d109bb1..f4e2962e1e 100644 --- a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/ssh.log @@ -3,14 +3,14 @@ #empty_field (empty) #unset_field - #path ssh -#open 2018-10-16-15-00-07 +#open 2018-10-23-15-34-42 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key #types time string addr port addr port count bool count enum string string string string string string string string 1324071333.792887 CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 2 - 0 - SSH-2.0-OpenSSH_5.9 SSH-2.0-OpenSSH_5.8 aes128-ctr hmac-md5 zlib@openssh.com ecdh-sha2-nistp256 ecdsa-sha2-nistp256 a7:26:62:3f:75:1f:33:8a:f3:32:90:8b:73:fd:2c:83 1409516196.413240 ClEkJM2Vm5giqnMf4h 10.0.0.18 40184 128.2.6.88 41644 2 T 1 - SSH-2.0-OpenSSH_6.6 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1 aes128-ctr hmac-md5 none ecdh-sha2-nistp256 ssh-rsa 8a:8d:55:28:1e:71:04:99:94:43:22:89:e5:ff:e9:03 1419870189.489202 C4J4Th3PJpwUYZZ6gc 192.168.2.1 57189 192.168.2.158 22 2 T 3 - SSH-2.0-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 aes128-ctr hmac-md5-etm@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 28:78:65:c1:c3:26:f7:1b:65:6a:44:14:d0:04:8f:b3 1419870206.111841 CtPZjS20MLrsMUOJi2 192.168.2.1 57191 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 -1419996264.344957 CUM0KZ3MLUfNB0cl11 192.168.2.1 55179 192.168.2.158 2200 2 - 0 - SSH-2.0-OpenSSH_6.2 SSH-2.0-paramiko_1.15.2 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5 +1419996264.344957 CUM0KZ3MLUfNB0cl11 192.168.2.1 55179 192.168.2.158 2200 2 T 1 - SSH-2.0-OpenSSH_6.2 SSH-2.0-paramiko_1.15.2 aes128-ctr hmac-md5 none diffie-hellman-group-exchange-sha1 ssh-rsa 60:73:38:44:cb:51:86:65:7f:de:da:a2:2b:5a:57:d5 1420588548.729561 CmES5u32sYpV7JYN 192.168.2.1 56594 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_5.3 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 1420590124.885826 CP5puj4I8PtEU4qzYg 192.168.2.1 56821 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 1420590308.781231 C37jN32gN3y3AZzyf6 192.168.2.1 56837 192.168.2.158 22 1 - 0 - SSH-1.5-OpenSSH_6.2 SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - a1:73:d1:e1:25:72:79:71:56:56:65:ed:81:bf:67:98 @@ -28,4 +28,4 @@ 1421041177.031508 CLNN1k2QMum1aexUK7 192.168.1.32 58641 131.103.20.168 22 2 F 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr umac-64@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 1421041299.777962 CBA8792iHmnhPLksKa 192.168.1.32 58646 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr umac-64@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 1421041526.353524 CGLPPc35OzDQij1XX8 192.168.1.32 58649 131.103.20.168 22 2 T 1 - SSH-2.0-OpenSSH_6.7 SSH-2.0-OpenSSH_5.3 aes128-ctr umac-64@openssh.com none diffie-hellman-group-exchange-sha256 ssh-rsa 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 -#close 2018-10-16-15-00-07 +#close 2018-10-23-15-34-42