mirror of
https://github.com/zeek/zeek.git
synced 2025-10-09 10:08:20 +00:00
SSH: Add documentation
This commit is contained in:
Vlad Grigorescu
parent
82c4037929
commit
370f4f2179
2 changed files with 126 additions and 4 deletions
|
|
@ -2227,7 +2227,11 @@ export {
|
|||
server_to_client: vector of string &optional;
|
||||
};
|
||||
|
||||
## SSH Capability record
|
||||
## This record lists the preferences of an SSH endpoint for
|
||||
## algorithm selection. During the initial :abbr:`SSH (Secure Shell)`
|
||||
## key exchange, each endpoint lists the algorithms
|
||||
## that it supports, in order of preference. See
|
||||
## :rfc:`4253#section-7.1` for details.
|
||||
type Capabilities: record {
|
||||
## Key exchange algorithms
|
||||
kex_algorithms: string_vec;
|
||||
|
|
|
|||
|
|
@ -1,15 +1,133 @@
|
|||
## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
|
||||
## from the server. This contains an identification string that's used
|
||||
## for version identification. See :rfc:`4253#section-4.2` for
|
||||
## details.
|
||||
##
|
||||
## c: The connection over which the message was sent.
|
||||
##
|
||||
## version: The identification string
|
||||
##
|
||||
## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed
|
||||
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
|
||||
## ssh_encrypted_packet
|
||||
event ssh_server_version%(c: connection, version: string%);
|
||||
|
||||
## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
|
||||
## from the client. This contains an identification string that's used
|
||||
## for version identification. See :rfc:`4253#section-4.2` for
|
||||
## details.
|
||||
##
|
||||
## c: The connection over which the message was sent.
|
||||
##
|
||||
## version: The identification string
|
||||
##
|
||||
## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed
|
||||
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
|
||||
## ssh_encrypted_packet
|
||||
event ssh_client_version%(c: connection, version: string%);
|
||||
|
||||
## This event is generated when an :abbr:`SSH (Secure Shell)`
|
||||
## connection was determined to have had a successful
|
||||
## authentication. This determination is based on packet size
|
||||
## analysis, and errs on the side of caution - that is, if there's any
|
||||
## doubt about the authentication success, this event is *not* raised.
|
||||
##
|
||||
## c: The connection over which the :abbr:`SSH (Secure Shell)`
|
||||
## connection took place.
|
||||
##
|
||||
## auth_method_none: This is true if the analyzer detected a
|
||||
## successful connection before any authentication challenge. The
|
||||
## :abbr:`SSH (Secure Shell)` protocol provides a mechanism for
|
||||
## unauthenticated access, which some servers support.
|
||||
##
|
||||
## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed
|
||||
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
|
||||
## ssh_encrypted_packet
|
||||
event ssh_auth_successful%(c: connection, auth_method_none: bool%);
|
||||
|
||||
## This event is generated when an :abbr:`SSH (Secure Shell)`
|
||||
## connection was determined to have had a failed authentication. This
|
||||
## determination is based on packet size analysis, and errs on the
|
||||
## side of caution - that is, if there's any doubt about the
|
||||
## authentication failure, this event is *not* raised.
|
||||
##
|
||||
## c: The connection over which the :abbr:`SSH (Secure Shell)`
|
||||
## connection took place.
|
||||
##
|
||||
## .. bro:see:: ssh_server_version ssh_client_version
|
||||
## ssh_auth_successful ssh_capabilities ssh2_server_host_key
|
||||
## ssh1_server_host_key ssh_encrypted_packet
|
||||
event ssh_auth_failed%(c: connection%);
|
||||
|
||||
event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
|
||||
|
||||
## During the initial :abbr:`SSH (Secure Shell)` key exchange, each
|
||||
## endpoint lists the algorithms that it supports, in order of
|
||||
## preference. This event is generated for each endpoint, when the
|
||||
## SSH_MSG_KEXINIT message is seen. See :rfc:`4253#section-7.1` for
|
||||
## details.
|
||||
##
|
||||
## c: The connection over which the :abbr:`SSH (Secure Shell)`
|
||||
## connection took place.
|
||||
##
|
||||
## cookie: The SSH_MSG_KEXINIT cookie - a random value generated by
|
||||
## the sender.
|
||||
##
|
||||
## capabilities: The list of algorithms and languages that the sender
|
||||
## advertises support for, in order of preference.
|
||||
##
|
||||
## .. bro:see:: ssh_server_version ssh_client_version
|
||||
## ssh_auth_successful ssh_auth_failed ssh2_server_host_key
|
||||
## ssh1_server_host_key ssh_encrypted_packet
|
||||
event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%);
|
||||
|
||||
## During the :abbr:`SSH (Secure Shell)` key exchange, the server
|
||||
## supplies its public host key. This event is generated when the
|
||||
## appropriate key exchange message is seen for SSH2.
|
||||
##
|
||||
## c: The connection over which the :abbr:`SSH (Secure Shell)`
|
||||
## connection took place.
|
||||
##
|
||||
## key: The server's public host key. Note that this is the public key
|
||||
## itself, and not just the fingerprint or hash.
|
||||
##
|
||||
## .. bro:see:: ssh_server_version ssh_client_version
|
||||
## ssh_auth_successful ssh_auth_failed ssh_capabilities
|
||||
## ssh1_server_host_key ssh_encrypted_packet
|
||||
event ssh2_server_host_key%(c: connection, key: string%);
|
||||
|
||||
## During the :abbr:`SSH (Secure Shell)` key exchange, the server
|
||||
## supplies its public host key. This event is generated when the
|
||||
## appropriate key exchange message is seen for SSH1.
|
||||
##
|
||||
## c: The connection over which the :abbr:`SSH (Secure Shell)`
|
||||
## connection took place.
|
||||
##
|
||||
## p: The prime for the server's public host key.
|
||||
##
|
||||
## e: The exponent for the serer's public host key.
|
||||
##
|
||||
## .. bro:see:: ssh_server_version ssh_client_version
|
||||
## ssh_auth_successful ssh_auth_failed ssh_capabilities
|
||||
## ssh2_server_host_key ssh_encrypted_packet
|
||||
event ssh1_server_host_key%(c: connection, p: string, e: string%);
|
||||
|
||||
## This event is generated when an :abbr:`SSH (Secure Shell)`
|
||||
## encrypted packet is seen. This event is not handled by default, but
|
||||
## is provided for heuristic analysis scripts. Note that there *is* a
|
||||
## performance penalty for enabling this event. If you would like to
|
||||
## use this event, also see
|
||||
## :bro:id:`SSH::skip_processing_after_detection`
|
||||
##
|
||||
## c: The connection over which the :abbr:`SSH (Secure Shell)`
|
||||
## connection took place.
|
||||
##
|
||||
## orig: Whether the packet was sent by the originator of the TCP
|
||||
## connection.
|
||||
##
|
||||
## len: The length of the :abbr:`SSH (Secure Shell)` payload, in
|
||||
## bytes. Note that this ignores reassembly, as this is unknown.
|
||||
##
|
||||
## .. bro:see:: ssh_server_version ssh_client_version
|
||||
## ssh_auth_successful ssh_auth_failed ssh_capabilities
|
||||
## ssh2_server_host_key ssh1_server_host_key
|
||||
event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue