SSH: Add documentation

scripts/base/init-bare.bro

@@ -2227,7 +2227,11 @@ export {
 		server_to_client: vector of string &optional;
 	};
 	
-	## SSH Capability record
+	## This record lists the preferences of an SSH endpoint for
+	## algorithm selection. During the initial :abbr:`SSH (Secure Shell)`
+	## key exchange, each endpoint lists the algorithms
+	## that it supports, in order of preference. See
+	## :rfc:`4253#section-7.1` for details.
 	type Capabilities: record {
 		## Key exchange algorithms
 		kex_algorithms:             string_vec;

src/analyzer/protocol/ssh/events.bif

@@ -1,15 +1,133 @@
+## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+## from the server. This contains an identification string that's used
+## for version identification. See :rfc:`4253#section-4.2` for
+## details.
+##
+## c: The connection over which the message was sent.
+##
+## version: The identification string
+##
+## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed
+##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_encrypted_packet
 event ssh_server_version%(c: connection, version: string%);
 
+## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
+## from the client. This contains an identification string that's used
+## for version identification. See :rfc:`4253#section-4.2` for
+## details.
+##
+## c: The connection over which the message was sent.
+##
+## version: The identification string
+##
+## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed
+##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_encrypted_packet
 event ssh_client_version%(c: connection, version: string%);
 
+## This event is generated when an :abbr:`SSH (Secure Shell)`
+## connection was determined to have had a successful
+## authentication. This determination is based on packet size
+## analysis, and errs on the side of caution - that is, if there's any
+## doubt about the authentication success, this event is *not* raised.
+##
+## c: The connection over which the :abbr:`SSH (Secure Shell)`
+##    connection took place.
+##
+## auth_method_none: This is true if the analyzer detected a
+##    successful connection before any authentication challenge. The
+##    :abbr:`SSH (Secure Shell)` protocol provides a mechanism for
+##    unauthenticated access, which some servers support.
+##
+## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed
+##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+##    ssh_encrypted_packet
 event ssh_auth_successful%(c: connection, auth_method_none: bool%);
 
+## This event is generated when an :abbr:`SSH (Secure Shell)`
+## connection was determined to have had a failed authentication. This
+## determination is based on packet size analysis, and errs on the
+## side of caution - that is, if there's any doubt about the
+## authentication failure, this event is *not* raised.
+##
+## c: The connection over which the :abbr:`SSH (Secure Shell)`
+##    connection took place.
+##
+## .. bro:see:: ssh_server_version ssh_client_version
+##    ssh_auth_successful ssh_capabilities ssh2_server_host_key
+##    ssh1_server_host_key ssh_encrypted_packet
 event ssh_auth_failed%(c: connection%);
 
-event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
+## During the initial :abbr:`SSH (Secure Shell)` key exchange, each
-
+## endpoint lists the algorithms that it supports, in order of
+## preference. This event is generated for each endpoint, when the
+## SSH_MSG_KEXINIT message is seen. See :rfc:`4253#section-7.1` for
+## details.
+##
+## c: The connection over which the :abbr:`SSH (Secure Shell)`
+##    connection took place.
+##
+## cookie: The SSH_MSG_KEXINIT cookie - a random value generated by
+##    the sender.
+##
+## capabilities: The list of algorithms and languages that the sender
+##    advertises support for, in order of preference.
+##
+## .. bro:see:: ssh_server_version ssh_client_version
+##    ssh_auth_successful ssh_auth_failed ssh2_server_host_key
+##    ssh1_server_host_key ssh_encrypted_packet
 event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%);
 
+## During the :abbr:`SSH (Secure Shell)` key exchange, the server
+## supplies its public host key. This event is generated when the
+## appropriate key exchange message is seen for SSH2.
+##
+## c: The connection over which the :abbr:`SSH (Secure Shell)`
+##    connection took place.
+##
+## key: The server's public host key. Note that this is the public key
+##    itself, and not just the fingerprint or hash.
+##
+## .. bro:see:: ssh_server_version ssh_client_version
+##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh1_server_host_key ssh_encrypted_packet
 event ssh2_server_host_key%(c: connection, key: string%);
 
+## During the :abbr:`SSH (Secure Shell)` key exchange, the server
+## supplies its public host key. This event is generated when the
+## appropriate key exchange message is seen for SSH1.
+##
+## c: The connection over which the :abbr:`SSH (Secure Shell)`
+##    connection took place.
+##
+## p: The prime for the server's public host key.
+##
+## e: The exponent for the serer's public host key.
+##
+## .. bro:see:: ssh_server_version ssh_client_version
+##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh2_server_host_key ssh_encrypted_packet
 event ssh1_server_host_key%(c: connection, p: string, e: string%);
+
+## This event is generated when an :abbr:`SSH (Secure Shell)`
+## encrypted packet is seen. This event is not handled by default, but
+## is provided for heuristic analysis scripts. Note that there *is* a
+## performance penalty for enabling this event. If you would like to
+## use this event, also see
+## :bro:id:`SSH::skip_processing_after_detection`
+##
+## c: The connection over which the :abbr:`SSH (Secure Shell)`
+##    connection took place.
+##
+## orig: Whether the packet was sent by the originator of the TCP
+##    connection.
+##
+## len: The length of the :abbr:`SSH (Secure Shell)` payload, in
+##    bytes. Note that this ignores reassembly, as this is unknown.
+##
+## .. bro:see:: ssh_server_version ssh_client_version
+##    ssh_auth_successful ssh_auth_failed ssh_capabilities
+##    ssh2_server_host_key ssh1_server_host_key
+event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
+