Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Simply ssh/main.zeek by using "ssh_server_host_key" for fingerprinting

Browse source
This commit is contained in:
Jon Siwek 2020-11-14 08:40:27 -08:00
parent 45449dad72
commit 331b94db39
3 changed files with 22 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/ssh/main.zeek
View file

@ -282,24 +282,12 @@ event ssh_auth_failed(c: connection) &priority=-5
event ssh_auth_result(c, F, c$ssh$auth_attempts); event ssh_auth_result(c, F, c$ssh$auth_attempts);
} }
event ssh_server_host_key(c: connection, hash: string) &priority=5
function generate_fingerprint(c: connection, key: string)
{ {
if ( ! c?$ssh ) if ( ! c?$ssh )
return; return;
local lx = str_split_indices(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30)); c$ssh$host_key = hash;
c$ssh$host_key = join_string_vec(lx, ":");
}
event ssh1_server_host_key(c: connection, modulus: string, exponent: string) &priority=5
{
generate_fingerprint(c, modulus + exponent);
}
event ssh2_server_host_key(c: connection, key: string) &priority=5
{
generate_fingerprint(c, key);
} }
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20

34
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -157,13 +157,6 @@ refine flow SSH_Flow += {
function proc_ssh2_server_host_key(key: bytestring): bool function proc_ssh2_server_host_key(key: bytestring): bool
%{ %{
if ( ssh2_server_host_key )
{
zeek::BifEvent::enqueue_ssh2_server_host_key(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
to_stringval(${key}));
}
if ( ssh_server_host_key ) if ( ssh_server_host_key )
{ {
unsigned char digest[MD5_DIGEST_LENGTH]; unsigned char digest[MD5_DIGEST_LENGTH];
@ -174,21 +167,18 @@ refine flow SSH_Flow += {
zeek::make_intrusive<zeek::StringVal>(fingerprint_md5(digest))); zeek::make_intrusive<zeek::StringVal>(fingerprint_md5(digest)));
} }
if ( ssh2_server_host_key )
{
zeek::BifEvent::enqueue_ssh2_server_host_key(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
to_stringval(${key}));
}
return true; return true;
%} %}
function proc_ssh1_server_host_key(exp: bytestring, mod: bytestring): bool function proc_ssh1_server_host_key(exp: bytestring, mod: bytestring): bool
%{ %{
if ( ssh1_server_host_key )
{
zeek::BifEvent::enqueue_ssh1_server_host_key(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
to_stringval(${exp}),
to_stringval(${mod}),
to_stringval(${mod}),
to_stringval(${exp}));
}
if ( ssh_server_host_key ) if ( ssh_server_host_key )
{ {
unsigned char digest[MD5_DIGEST_LENGTH]; unsigned char digest[MD5_DIGEST_LENGTH];
@ -203,6 +193,16 @@ refine flow SSH_Flow += {
zeek::make_intrusive<zeek::StringVal>(fingerprint_md5(digest))); zeek::make_intrusive<zeek::StringVal>(fingerprint_md5(digest)));
} }
if ( ssh1_server_host_key )
{
zeek::BifEvent::enqueue_ssh1_server_host_key(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(),
to_stringval(${exp}),
to_stringval(${mod}),
to_stringval(${mod}),
to_stringval(${exp}));
}
return true; return true;
%} %}

4
testing/btest/Baseline/scripts.base.protocols.ssh.fingerprints/out
View file

@ -1,5 +1,5 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ssh2 server host key fingerprint, c7eb775dd16431d61be8995fa709a1d7
ssh server host key fingerprint, c7:eb:77:5d:d1:64:31:d6:1b:e8:99:5f:a7:09:a1:d7 ssh server host key fingerprint, c7:eb:77:5d:d1:64:31:d6:1b:e8:99:5f:a7:09:a1:d7
ssh1 server host key fingerprint, 5517ebfa2e7fb37b33427c9d448556da ssh2 server host key fingerprint, c7eb775dd16431d61be8995fa709a1d7
ssh server host key fingerprint, 55:17:eb:fa:2e:7f:b3:7b:33:42:7c:9d:44:85:56:da ssh server host key fingerprint, 55:17:eb:fa:2e:7f:b3:7b:33:42:7c:9d:44:85:56:da
ssh1 server host key fingerprint, 5517ebfa2e7fb37b33427c9d448556da