Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Simply ssh/main.zeek by using "ssh_server_host_key" for fingerprinting

Browse source
This commit is contained in:
Jon Siwek 2020-11-14 08:40:27 -08:00
parent 45449dad72
commit 331b94db39
3 changed files with 22 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

18
scripts/base/protocols/ssh/main.zeek
View file

@ -282,24 +282,12 @@ event ssh_auth_failed(c: connection) &priority=-5
event ssh_auth_result(c, F, c$ssh$auth_attempts);
}
function generate_fingerprint(c: connection, key: string)
event ssh_server_host_key(c: connection, hash: string) &priority=5
{
if ( !c?$ssh )
if ( ! c?$ssh )
return;
local lx = str_split_indices(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30));
c$ssh$host_key = join_string_vec(lx, ":");
}
event ssh1_server_host_key(c: connection, modulus: string, exponent: string) &priority=5
{
generate_fingerprint(c, modulus + exponent);
}
event ssh2_server_host_key(c: connection, key: string) &priority=5
{
generate_fingerprint(c, key);
c$ssh$host_key = hash;
}
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20