Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Clean up the logic for ssh_auth_failed. Addresses BIT-1641

Browse source
This commit is contained in:
Vlad Grigorescu 2016-10-13 15:24:38 -05:00
parent 3e7d143e31
commit 7caf2d0356
1 changed files with 13 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

23
scripts/base/protocols/ssh/main.bro
View file

@ -77,7 +77,7 @@ export {
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key ## ssh2_gss_error ssh2_ecc_key
global ssh_auth_failed: event (c: connection); global ssh_auth_failed: event(c: connection);
## This event is generated when a determination has been made about ## This event is generated when a determination has been made about
## the final authentication result of an :abbr:`SSH (Secure Shell)` ## the final authentication result of an :abbr:`SSH (Secure Shell)`
@ -100,7 +100,7 @@ export {
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params ## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key ## ssh2_gss_error ssh2_ecc_key
global ssh_auth_result: event (c: connection, result: bool, auth_attempts: count); global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count);
## Event that can be handled when the analyzer sees an SSH server host ## Event that can be handled when the analyzer sees an SSH server host
## key. This abstracts :bro:id:`ssh1_server_host_key` and ## key. This abstracts :bro:id:`ssh1_server_host_key` and
@ -186,8 +186,6 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
else else
{ {
c$ssh$auth_attempts = 1; c$ssh$auth_attempts = 1;
if ( !authenticated )
event ssh_auth_failed(c);
} }
if ( authenticated && disable_analyzer_after_detection ) if ( authenticated && disable_analyzer_after_detection )
@ -252,13 +250,18 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
event connection_state_remove(c: connection) &priority=-5 event connection_state_remove(c: connection) &priority=-5
{ {
if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server ) if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
{ {
if ( c$ssh?$auth_success ) # Success get logged immediately. To protect against a race condition, we'll double check:
event ssh_auth_result(c, c$ssh$auth_success, c$ssh$auth_attempts); if ( c$ssh$auth_success )
return;
c$ssh$logged = T; # Now that we know it's a failure, we'll set the field, raise the event, and log it.
Log::write(SSH::LOG, c$ssh); c$ssh$auth_success = F;
event SSH::ssh_auth_failed(c);
c$ssh$logged = T;
Log::write(SSH::LOG, c$ssh);
} }
} }
@ -284,7 +287,7 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
{ {
if ( atype == Analyzer::ANALYZER_SSH ) if ( atype == Analyzer::ANALYZER_SSH )
{ {
set_session(c); set_session(c);
c$ssh$analyzer_id = aid; c$ssh$analyzer_id = aid;