Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-13 12:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.

Browse source
This commit is contained in:
Vlad Grigorescu 2016-10-07 16:28:03 -05:00
parent 14fd08f334
commit 93becb1387
2 changed files with 117 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

63
scripts/base/protocols/ssh/main.bro
View file

@ -20,6 +20,11 @@ export {
version: count &log; version: count &log;
## Authentication result (T=success, F=failure, unset=unknown) ## Authentication result (T=success, F=failure, unset=unknown)
auth_success: bool &log &optional; auth_success: bool &log &optional;
## The number of authentication attemps we observed. There's always
## at least one, since some servers might support no authentication at all.
## It's important to note that not all of these are failures, since
## some servers require two-factor auth (e.g. password AND pubkey)
auth_attempts: count &log &optional;
## Direction of the connection. If the client was a local host ## Direction of the connection. If the client was a local host
## logging into an external host, this would be OUTBOUND. INBOUND ## logging into an external host, this would be OUTBOUND. INBOUND
## would be set for the opposite situation. ## would be set for the opposite situation.
@ -56,17 +61,62 @@ export {
## to the logging framework. ## to the logging framework.
global log_ssh: event(rec: Info); global log_ssh: event(rec: Info);
## This event is generated when an :abbr:`SSH (Secure Shell)`
## connection was determined to have had a failed authentication. This
## determination is based on packet size analysis, and errs on the
## side of caution - that is, if there's any doubt about the
## authentication failure, this event is *not* raised.
##
## This event is only raised once per connection.
##
## c: The connection over which the :abbr:`SSH (Secure Shell)`
## connection took place.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_result ssh_auth_attempted
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
global ssh_auth_failed: event (c: connection);
## This event is generated when a determination has been made about
## the final authentication result of an :abbr:`SSH (Secure Shell)`
## connection. This determination is based on packet size analysis,
## and errs on the side of caution - that is, if there's any doubt
## about the result of the authentication, this event is *not* raised.
##
## This event is only raised once per connection.
##
## c: The connection over which the :abbr:`SSH (Secure Shell)`
## connection took place.
##
## result: True if the authentication was successful, false if not.
##
## auth_attempts: The number of authentication attempts that were
## observed.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_auth_attempted
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
global ssh_auth_result: event (c: connection, result: bool, auth_attempts: count);
## Event that can be handled when the analyzer sees an SSH server host ## Event that can be handled when the analyzer sees an SSH server host
## key. This abstracts :bro:id:`ssh1_server_host_key` and ## key. This abstracts :bro:id:`ssh1_server_host_key` and
## :bro:id:`ssh2_server_host_key`. ## :bro:id:`ssh2_server_host_key`.
##
## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key
global ssh_server_host_key: event(c: connection, hash: string); global ssh_server_host_key: event(c: connection, hash: string);
} }
redef record Info += { redef record Info += {
# This connection has been logged (internal use) # This connection has been logged (internal use)
logged: bool &default=F; logged: bool &default=F;
# Number of failures seen (internal use)
num_failures: count &default=0;
# Store capabilities from the first host for # Store capabilities from the first host for
# comparison with the second (internal use) # comparison with the second (internal use)
capabilities: Capabilities &optional; capabilities: Capabilities &optional;
@ -131,6 +181,10 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
return; return;
c$ssh$auth_success = T; c$ssh$auth_success = T;
if ( c$ssh?$auth_attempts )
c$ssh$auth_attempts += 1;
else
c$ssh$auth_attempts = 1;
if ( disable_analyzer_after_detection ) if ( disable_analyzer_after_detection )
disable_analyzer(c$id, c$ssh$analyzer_id); disable_analyzer(c$id, c$ssh$analyzer_id);
@ -155,7 +209,10 @@ event ssh_auth_failed(c: connection) &priority=5
return; return;
c$ssh$auth_success = F; c$ssh$auth_success = F;
c$ssh$num_failures += 1; if ( c$ssh?$auth_attempts )
c$ssh$auth_attempts += 1;
else
c$ssh$auth_attempts = 1;
} }
# Determine the negotiated algorithm # Determine the negotiated algorithm

89
src/analyzer/protocol/ssh/events.bif
View file

@ -8,9 +8,10 @@
## version: The identification string ## version: The identification string
## ##
## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed ## .. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_auth_result ssh_auth_attempted ssh_capabilities
## ssh_encrypted_packet ssh2_dh_server_params ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
## ssh2_gss_error ssh2_ecc_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
## ssh2_ecc_key
event ssh_server_version%(c: connection, version: string%); event ssh_server_version%(c: connection, version: string%);
## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message ## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
@ -23,9 +24,10 @@ event ssh_server_version%(c: connection, version: string%);
## version: The identification string ## version: The identification string
## ##
## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed ## .. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_auth_result ssh_auth_attempted ssh_capabilities
## ssh_encrypted_packet ssh2_dh_server_params ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
## ssh2_gss_error ssh2_ecc_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
## ssh2_ecc_key
event ssh_client_version%(c: connection, version: string%); event ssh_client_version%(c: connection, version: string%);
## This event is generated when an :abbr:`SSH (Secure Shell)` ## This event is generated when an :abbr:`SSH (Secure Shell)`
@ -43,25 +45,41 @@ event ssh_client_version%(c: connection, version: string%);
## unauthenticated access, which some servers support. ## unauthenticated access, which some servers support.
## ##
## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed ## .. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_auth_result ssh_auth_attempted ssh_capabilities
## ssh_encrypted_packet ssh2_dh_server_params ## ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
## ssh2_gss_error ssh2_ecc_key ## ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
## ssh2_ecc_key
event ssh_auth_successful%(c: connection, auth_method_none: bool%); event ssh_auth_successful%(c: connection, auth_method_none: bool%);
## This event is generated when an :abbr:`SSH (Secure Shell)` ## This event is generated when an :abbr:`SSH (Secure Shell)`
## connection was determined to have had a failed authentication. This ## connection was determined to have had an authentication attempt.
## determination is based on packet size analysis, and errs on the ## This determination is based on packet size analysis, and errs
## side of caution - that is, if there's any doubt about the ## on the side of caution - that is, if there's any doubt about
## authentication failure, this event is *not* raised. ## whether or not an authenication attempt occured, this event is
## *not* raised.
##
## At this point in the protocol, all we can determine is whether
## or not the user is authenticated. We don't know if the particular
## attempt succeeded or failed, since some servers require multiple
## authentications (e.g. require both a password AND a pubkey), and
## could return an authentication failed message which is marked
## as a partial success.
##
## This event will often be raised multiple times per connection.
## In almost all connections, it will be raised once unless
## ##
## c: The connection over which the :abbr:`SSH (Secure Shell)` ## c: The connection over which the :abbr:`SSH (Secure Shell)`
## connection took place. ## connection took place.
## ##
## authenticated: This is true if the analyzer detected a
## successful connection from the authentication attempt.
##
## .. bro:see:: ssh_server_version ssh_client_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_capabilities ssh2_server_host_key ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params ## ssh_capabilities ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key ## ssh2_gss_error ssh2_ecc_key
event ssh_auth_failed%(c: connection%); event ssh_auth_attempted%(c: connection, authenticated: bool%);
## During the initial :abbr:`SSH (Secure Shell)` key exchange, each ## During the initial :abbr:`SSH (Secure Shell)` key exchange, each
## endpoint lists the algorithms that it supports, in order of ## endpoint lists the algorithms that it supports, in order of
@ -79,8 +97,9 @@ event ssh_auth_failed%(c: connection%);
## advertises support for, in order of preference. ## advertises support for, in order of preference.
## ##
## .. bro:see:: ssh_server_version ssh_client_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh2_server_host_key ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params ## ssh_auth_attempted ssh2_server_host_key ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key ## ssh2_gss_error ssh2_ecc_key
event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%); event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabilities%);
@ -95,8 +114,9 @@ event ssh_capabilities%(c: connection, cookie: string, capabilities: SSH::Capabi
## itself, and not just the fingerprint or hash. ## itself, and not just the fingerprint or hash.
## ##
## .. bro:see:: ssh_server_version ssh_client_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params ## ssh_auth_attempted ssh_capabilities ssh1_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key ## ssh2_gss_error ssh2_ecc_key
event ssh2_server_host_key%(c: connection, key: string%); event ssh2_server_host_key%(c: connection, key: string%);
@ -112,8 +132,9 @@ event ssh2_server_host_key%(c: connection, key: string%);
## e: The exponent for the serer's public host key. ## e: The exponent for the serer's public host key.
## ##
## .. bro:see:: ssh_server_version ssh_client_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh2_server_host_key ssh_encrypted_packet ssh2_dh_server_params ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key ## ssh2_gss_error ssh2_ecc_key
event ssh1_server_host_key%(c: connection, p: string, e: string%); event ssh1_server_host_key%(c: connection, p: string, e: string%);
@ -133,8 +154,9 @@ event ssh1_server_host_key%(c: connection, p: string, e: string%);
## bytes. Note that this ignores reassembly, as this is unknown. ## bytes. Note that this ignores reassembly, as this is unknown.
## ##
## .. bro:see:: ssh_server_version ssh_client_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh2_server_host_key ssh1_server_host_key ssh2_dh_server_params ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_server_host_key ssh2_dh_server_params
## ssh2_gss_error ssh2_ecc_key ## ssh2_gss_error ssh2_ecc_key
event ssh_encrypted_packet%(c: connection, orig: bool, len: count%); event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
@ -149,10 +171,11 @@ event ssh_encrypted_packet%(c: connection, orig: bool, len: count%);
## ##
## q: The DH generator. ## q: The DH generator.
## ##
## .. bro:see:: ssl_dh_server_params ssh_server_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_client_version ssh_auth_successful ssh_auth_failed ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh_capabilities ssh2_server_host_key ssh1_server_host_key ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh_encrypted_packet ssh2_gss_error ssh2_ecc_key ## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
## ssh2_gss_error ssh2_ecc_key
event ssh2_dh_server_params%(c: connection, p: string, q: string%); event ssh2_dh_server_params%(c: connection, p: string, q: string%);
## In the event of a GSS-API error on the server, the server MAY send ## In the event of a GSS-API error on the server, the server MAY send
@ -169,8 +192,9 @@ event ssh2_dh_server_params%(c: connection, p: string, q: string%);
## err_msg: Detailed human-readable error message ## err_msg: Detailed human-readable error message
## ##
## .. bro:see:: ssh_server_version ssh_client_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
## ssh2_dh_server_params ssh2_ecc_key ## ssh2_dh_server_params ssh2_ecc_key
event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, err_msg: string%); event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, err_msg: string%);
@ -188,7 +212,8 @@ event ssh2_gss_error%(c: connection, major_status: count, minor_status: count, e
## q: The ephemeral public key ## q: The ephemeral public key
## ##
## .. bro:see:: ssh_server_version ssh_client_version ## .. bro:see:: ssh_server_version ssh_client_version
## ssh_auth_successful ssh_auth_failed ssh_capabilities ## ssh_auth_successful ssh_auth_failed ssh_auth_result
## ssh2_server_host_key ssh1_server_host_key ssh_encrypted_packet ## ssh_auth_attempted ssh_capabilities ssh2_server_host_key
## ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
## ssh2_dh_server_params ssh2_gss_error ## ssh2_dh_server_params ssh2_gss_error
event ssh2_ecc_key%(c: connection, is_orig: bool, q: string%); event ssh2_ecc_key%(c: connection, is_orig: bool, q: string%);