Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Clean up the logic for ssh_auth_failed. Addresses BIT-1641

Browse source
This commit is contained in:
Vlad Grigorescu 2016-10-13 15:24:38 -05:00
parent 3e7d143e31
commit 7caf2d0356
1 changed files with 13 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

13
scripts/base/protocols/ssh/main.bro
View file

@ -186,8 +186,6 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
else else
{ {
c$ssh$auth_attempts = 1; c$ssh$auth_attempts = 1;
if ( !authenticated )
event ssh_auth_failed(c);
} }
if ( authenticated && disable_analyzer_after_detection ) if ( authenticated && disable_analyzer_after_detection )
@ -252,10 +250,15 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
event connection_state_remove(c: connection) &priority=-5 event connection_state_remove(c: connection) &priority=-5
{ {
if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server ) if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
{ {
if ( c$ssh?$auth_success ) # Success get logged immediately. To protect against a race condition, we'll double check:
event ssh_auth_result(c, c$ssh$auth_success, c$ssh$auth_attempts); if ( c$ssh$auth_success )
return;
# Now that we know it's a failure, we'll set the field, raise the event, and log it.
c$ssh$auth_success = F;
event SSH::ssh_auth_failed(c);
c$ssh$logged = T; c$ssh$logged = T;
Log::write(SSH::LOG, c$ssh); Log::write(SSH::LOG, c$ssh);