mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 00:28:21 +00:00
Updates for SSH scripts.
This commit is contained in:
Seth Hall
parent
9a06cece67
commit
9c2273b7a7
6 changed files with 237 additions and 141 deletions
79
scripts/policy/protocols/ssh/detect-bruteforcing.bro
Normal file
79
scripts/policy/protocols/ssh/detect-bruteforcing.bro
Normal file
|
|
@ -0,0 +1,79 @@
|
|||
|
||||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## Indicates that a host has been identified as crossing the
|
||||
## :bro:id:`password_guesses_limit` threshold with heuristically
|
||||
## determined failed logins.
|
||||
Password_Guessing,
|
||||
## Indicates that a host previously identified as a "password guesser"
|
||||
## has now had a heuristically successful login attempt.
|
||||
Login_By_Password_Guesser,
|
||||
};
|
||||
|
||||
## The number of failed SSH connections before a host is designated as
|
||||
## guessing passwords.
|
||||
const password_guesses_limit = 30 &redef;
|
||||
|
||||
## The amount of time to remember presumed non-successful logins to build
|
||||
## model of a password guesser.
|
||||
const guessing_timeout = 30 mins &redef;
|
||||
|
||||
## This value can be used to exclude hosts or entire networks from being
|
||||
## tracked as potential "guessers". There are cases where the success
|
||||
## heuristic fails and this acts as the whitelist. The index represents
|
||||
## client subnets and the yield value represents server subnets.
|
||||
const ignore_guessers: table[subnet] of subnet &redef;
|
||||
|
||||
## Keeps count of how many rejections a host has had.
|
||||
global password_rejections: table[addr] of TrackCount
|
||||
&write_expire=guessing_timeout
|
||||
&synchronized;
|
||||
|
||||
## Keeps track of hosts identified as guessing passwords.
|
||||
global password_guessers: set[addr] &read_expire=guessing_timeout+1hr &synchronized;
|
||||
}
|
||||
|
||||
event SSH::heuristic_successful_login(c: connection)
|
||||
{
|
||||
local id = c$id;
|
||||
|
||||
# TODO: this should be migrated to the metrics framework.
|
||||
if ( id$orig_h in password_rejections &&
|
||||
password_rejections[id$orig_h]$n > password_guesses_limit &&
|
||||
id$orig_h !in password_guessers )
|
||||
{
|
||||
add password_guessers[id$orig_h];
|
||||
NOTICE([$note=Login_By_Password_Guesser,
|
||||
$conn=c,
|
||||
$n=password_rejections[id$orig_h]$n,
|
||||
$msg=fmt("Successful SSH login by password guesser %s", id$orig_h),
|
||||
$sub=fmt("%d failed logins", password_rejections[id$orig_h]$n)]);
|
||||
}
|
||||
}
|
||||
|
||||
event SSH::heuristic_failed_login(c: connection)
|
||||
{
|
||||
local id = c$id;
|
||||
|
||||
# presumed failure
|
||||
if ( id$orig_h !in password_rejections )
|
||||
password_rejections[id$orig_h] = new_track_count();
|
||||
|
||||
# Track the number of rejections
|
||||
# TODO: this should be migrated to the metrics framework.
|
||||
if ( ! (id$orig_h in ignore_guessers &&
|
||||
id$resp_h in ignore_guessers[id$orig_h]) )
|
||||
++password_rejections[id$orig_h]$n;
|
||||
|
||||
if ( default_check_threshold(password_rejections[id$orig_h]) )
|
||||
{
|
||||
add password_guessers[id$orig_h];
|
||||
NOTICE([$note=Password_Guessing,
|
||||
$conn=c,
|
||||
$msg=fmt("SSH password guessing by %s", id$orig_h),
|
||||
$sub=fmt("%d apparently failed logins", password_rejections[id$orig_h]$n),
|
||||
$n=password_rejections[id$orig_h]$n]);
|
||||
}
|
||||
}
|
||||
39
scripts/policy/protocols/ssh/geo-data.bro
Normal file
39
scripts/policy/protocols/ssh/geo-data.bro
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
##! This implements all of the additional information and geodata detections
|
||||
##! for SSH analysis.
|
||||
|
||||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## If an SSH login is seen to or from a "watched" country based on the
|
||||
## :bro:id:`SSH::watched_countries` variable then this notice will
|
||||
## be generated.
|
||||
Login_From_Watched_Country,
|
||||
};
|
||||
|
||||
## The set of countries for which you'd like to throw notices upon
|
||||
## successful login
|
||||
const watched_countries: set[string] = {"RO"} &redef;
|
||||
|
||||
redef record Info += {
|
||||
## Add geographic data related to the "remote" host of the connection.
|
||||
remote_location: geo_location &log &optional;
|
||||
};
|
||||
}
|
||||
|
||||
event SSH::heuristic_successful_login(c: connection) &priority=5
|
||||
{
|
||||
local location: geo_location;
|
||||
location = (c$ssh$direction == OUTBOUND) ?
|
||||
lookup_location(c$id$resp_h) : lookup_location(c$id$orig_h);
|
||||
|
||||
# Add the location data to the SSH record.
|
||||
c$ssh$remote_location = location;
|
||||
|
||||
if ( location$country_code in watched_countries )
|
||||
{
|
||||
NOTICE([$note=Login_From_Watched_Country,
|
||||
$conn=c,
|
||||
$msg=fmt("SSH login from watched country: %s", location$country_code)]);
|
||||
}
|
||||
}
|
||||
50
scripts/policy/protocols/ssh/interesting-hostnames.bro
Normal file
50
scripts/policy/protocols/ssh/interesting-hostnames.bro
Normal file
|
|
@ -0,0 +1,50 @@
|
|||
|
||||
module SSH;
|
||||
|
||||
export {
|
||||
redef enum Notice::Type += {
|
||||
## Generated if a login originates from a host matched by the
|
||||
## :bro:id:`interesting_hostnames` regular expression.
|
||||
Login_From_Interesting_Hostname,
|
||||
## Generated if a login goes to a host matched by the
|
||||
## :bro:id:`interesting_hostnames` regular expression.
|
||||
Login_To_Interesting_Hostname,
|
||||
};
|
||||
|
||||
## Strange/bad host names to see successful SSH logins from or to.
|
||||
const interesting_hostnames =
|
||||
/^d?ns[0-9]*\./ |
|
||||
/^smtp[0-9]*\./ |
|
||||
/^mail[0-9]*\./ |
|
||||
/^pop[0-9]*\./ |
|
||||
/^imap[0-9]*\./ |
|
||||
/^www[0-9]*\./ |
|
||||
/^ftp[0-9]*\./ &redef;
|
||||
}
|
||||
|
||||
event SSH::heuristic_successful_login(c: connection)
|
||||
{
|
||||
# Check to see if this login came from an interesting hostname.
|
||||
when ( local orig_hostname = lookup_addr(c$id$orig_h) )
|
||||
{
|
||||
if ( interesting_hostnames in orig_hostname )
|
||||
{
|
||||
NOTICE([$note=Login_From_Interesting_Hostname,
|
||||
$conn=c,
|
||||
$msg=fmt("Interesting login from hostname: %s", orig_hostname),
|
||||
$sub=orig_hostname]);
|
||||
}
|
||||
}
|
||||
# Check to see if this login went to an interesting hostname.
|
||||
when ( local resp_hostname = lookup_addr(c$id$orig_h) )
|
||||
{
|
||||
if ( interesting_hostnames in resp_hostname )
|
||||
{
|
||||
NOTICE([$note=Login_To_Interesting_Hostname,
|
||||
$conn=c,
|
||||
$msg=fmt("Interesting login to hostname: %s", resp_hostname),
|
||||
$sub=resp_hostname]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -3,8 +3,8 @@ module SSH;
|
|||
|
||||
export {
|
||||
redef enum Software::Type += {
|
||||
SSH_SERVER,
|
||||
SSH_CLIENT,
|
||||
SERVER,
|
||||
CLIENT,
|
||||
};
|
||||
}
|
||||
|
||||
|
|
@ -12,7 +12,7 @@ event ssh_client_version(c: connection, version: string) &priority=4
|
|||
{
|
||||
# Get rid of the protocol information when passing to the software framework.
|
||||
local cleaned_version = sub(version, /^SSH[0-9\.\-]+/, "");
|
||||
local si = Software::parse(cleaned_version, c$id$orig_h, SSH_CLIENT);
|
||||
local si = Software::parse(cleaned_version, c$id$orig_h, CLIENT);
|
||||
Software::found(c$id, si);
|
||||
}
|
||||
|
||||
|
|
@ -20,6 +20,6 @@ event ssh_server_version(c: connection, version: string) &priority=4
|
|||
{
|
||||
# Get rid of the protocol information when passing to the software framework.
|
||||
local cleaned_version = sub(version, /SSH[0-9\.\-]{2,}/, "");
|
||||
local si = Software::parse(cleaned_version, c$id$resp_h, SSH_SERVER);
|
||||
local si = Software::parse(cleaned_version, c$id$resp_h, SERVER);
|
||||
Software::found(c$id, si);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue