Simply ssh/main.zeek by using "ssh_server_host_key" for fingerprinting

2025-10-02 14:48:21 +00:00 · 2020-11-14 08:40:27 -08:00 · 2020-11-14 08:40:27 -08:00 · 331b94db39
commit 331b94db39
parent 45449dad72
3 changed files with 22 additions and 34 deletions
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@ -157,13 +157,6 @@ refine flow SSH_Flow += {

 	function proc_ssh2_server_host_key(key: bytestring): bool
 		%{
-		if ( ssh2_server_host_key )
-			{
-			zeek::BifEvent::enqueue_ssh2_server_host_key(connection()->zeek_analyzer(),
-				connection()->zeek_analyzer()->Conn(),
-				to_stringval(${key}));
-			}
-
 		if ( ssh_server_host_key )
 			{
 			unsigned char digest[MD5_DIGEST_LENGTH];
@ -174,21 +167,18 @@ refine flow SSH_Flow += {
 				zeek::make_intrusive<zeek::StringVal>(fingerprint_md5(digest)));
 			}

+		if ( ssh2_server_host_key )
+			{
+			zeek::BifEvent::enqueue_ssh2_server_host_key(connection()->zeek_analyzer(),
+				connection()->zeek_analyzer()->Conn(),
+				to_stringval(${key}));
+			}
+
 		return true;
 		%}

 	function proc_ssh1_server_host_key(exp: bytestring, mod: bytestring): bool
 		%{
-		if ( ssh1_server_host_key )
-			{
-			zeek::BifEvent::enqueue_ssh1_server_host_key(connection()->zeek_analyzer(),
-				connection()->zeek_analyzer()->Conn(),
-				to_stringval(${exp}),
-				to_stringval(${mod}),
-				to_stringval(${mod}),
-				to_stringval(${exp}));
-			}
-
 		if ( ssh_server_host_key )
 			{
 			unsigned char digest[MD5_DIGEST_LENGTH];
@ -203,6 +193,16 @@ refine flow SSH_Flow += {
 				zeek::make_intrusive<zeek::StringVal>(fingerprint_md5(digest)));
 			}

+		if ( ssh1_server_host_key )
+			{
+			zeek::BifEvent::enqueue_ssh1_server_host_key(connection()->zeek_analyzer(),
+				connection()->zeek_analyzer()->Conn(),
+				to_stringval(${exp}),
+				to_stringval(${mod}),
+				to_stringval(${mod}),
+				to_stringval(${exp}));
+			}
+
 		return true;
 		%}