diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index ac73ba980d..e3b6a2ebd5 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -2227,7 +2227,11 @@ export { server_to_client: vector of string &optional; }; - ## SSH Capability record + ## This record lists the preferences of an SSH endpoint for + ## algorithm selection. During the initial :abbr:`SSH (Secure Shell)` + ## key exchange, each endpoint lists the algorithms + ## that it supports, in order of preference. See + ## :rfc:`4253#section-7.1` for details. type Capabilities: record { ## Key exchange algorithms kex_algorithms: string_vec; diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif index c2b4e95673..d60e06f458 100644 --- a/src/analyzer/protocol/ssh/events.bif +++ b/src/analyzer/protocol/ssh/events.bif @@ -1,15 +1,133 @@ +## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message +## from the server. This contains an identification string that's used +## for version identification. See :rfc:`4253#section-4.2` for +## details. +## +## c: The connection over which the message was sent. +## +## version: The identification string +## +## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed +## ssh_capabilities ssh2_server_host_key ssh1_server_host_key +## ssh_encrypted_packet event ssh_server_version%(c: connection, version: string%); +## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message +## from the client. This contains an identification string that's used +## for version identification. See :rfc:`4253#section-4.2` for +## details. +## +## c: The connection over which the message was sent. +## +## version: The identification string +## +## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed +## ssh_capabilities ssh2_server_host_key ssh1_server_host_key +## ssh_encrypted_packet event ssh_client_version%(c: connection, version: string%); +## This event is generated when an :abbr:`SSH (Secure Shell)` +## connection was determined to have had a successful +## authentication. This determination is based on packet size +## analysis, and errs on the side of caution - that is, if there's any +## doubt about the authentication success, this event is *not* raised. +## +## c: The connection over which the :abbr:`SSH (Secure Shell)` +## connection took place. +## +## auth_method_none: This is true if the analyzer detected a +## successful connection before any authentication challenge. The +## :abbr:`SSH (Secure Shell)` protocol provides a mechanism for +## unauthenticated access, which some servers support. +## +## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed +## ssh_capabilities ssh2_server_host_key ssh1_server_host_key +## ssh_encrypted_packet event ssh_auth_successful%(c: connection, auth_method_none: bool%); +## This event is generated when an :abbr:`SSH (Secure Shell)` +## connection was determined to have had a failed authentication. This +## determination is based on packet size analysis, and errs on the +## side of caution - that is, if there's any doubt about the +## authentication failure, this event is *not* raised. +## +## c: The connection over which the :abbr:`SSH (Secure Shell)` +## connection took place. +## +## .. bro:see:: ssh_server_version ssh_client_version +## ssh_auth_successful ssh_capabilities ssh2_server_host_key +## ssh1_server_host_key ssh_encrypted_packet event ssh_auth_failed%(c: connection%); -event ssh_encrypted_packet%(c: connection, orig: bool, len: count%); - +## During the initial :abbr:`SSH (Secure Shell)` key exchange, each +## endpoint lists the algorithms that it supports, in order of +## preference. This event is generated for each endpoint, when the +## SSH_MSG_KEXINIT message is seen. See :rfc:`4253#section-7.1` for +## details. +## +## c: The connection over which the :abbr:`SSH (Secure Shell)` +## connection took place. +## +## cookie: The SSH_MSG_KEXINIT cookie - a random value generated by +## the sender. +## +## capabilities: The list of algorithms and languages that the sender +## advertises support for, in order of preference. +## +## .. bro:see:: ssh_server_version ssh_client_version +## ssh_auth_successful ssh_auth_failed ssh2_server_host_key +## ssh1_server_host_key ssh_encrypted_packet event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%); +## During the :abbr:`SSH (Secure Shell)` key exchange, the server +## supplies its public host key. This event is generated when the +## appropriate key exchange message is seen for SSH2. +## +## c: The connection over which the :abbr:`SSH (Secure Shell)` +## connection took place. +## +## key: The server's public host key. Note that this is the public key +## itself, and not just the fingerprint or hash. +## +## .. bro:see:: ssh_server_version ssh_client_version +## ssh_auth_successful ssh_auth_failed ssh_capabilities +## ssh1_server_host_key ssh_encrypted_packet event ssh2_server_host_key%(c: connection, key: string%); -event ssh1_server_host_key%(c: connection, p: string, e: string%); \ No newline at end of file +## During the :abbr:`SSH (Secure Shell)` key exchange, the server +## supplies its public host key. This event is generated when the +## appropriate key exchange message is seen for SSH1. +## +## c: The connection over which the :abbr:`SSH (Secure Shell)` +## connection took place. +## +## p: The prime for the server's public host key. +## +## e: The exponent for the serer's public host key. +## +## .. bro:see:: ssh_server_version ssh_client_version +## ssh_auth_successful ssh_auth_failed ssh_capabilities +## ssh2_server_host_key ssh_encrypted_packet +event ssh1_server_host_key%(c: connection, p: string, e: string%); + +## This event is generated when an :abbr:`SSH (Secure Shell)` +## encrypted packet is seen. This event is not handled by default, but +## is provided for heuristic analysis scripts. Note that there *is* a +## performance penalty for enabling this event. If you would like to +## use this event, also see +## :bro:id:`SSH::skip_processing_after_detection` +## +## c: The connection over which the :abbr:`SSH (Secure Shell)` +## connection took place. +## +## orig: Whether the packet was sent by the originator of the TCP +## connection. +## +## len: The length of the :abbr:`SSH (Secure Shell)` payload, in +## bytes. Note that this ignores reassembly, as this is unknown. +## +## .. bro:see:: ssh_server_version ssh_client_version +## ssh_auth_successful ssh_auth_failed ssh_capabilities +## ssh2_server_host_key ssh1_server_host_key +event ssh_encrypted_packet%(c: connection, orig: bool, len: count%); +