Merge remote-tracking branch 'origin/topic/jazoff/ticket-1670'

BIT-1670 #merged * origin/topic/jazoff/ticket-1670: Ensure that the notice uid field is filled in. Move lookup_addr when statement
2025-10-16 21:48:21 +00:00 · 2016-09-27 11:38:08 -07:00 · 2016-09-27 11:38:08 -07:00 · a87083233e
commit a87083233e
parent 3ef14000f3 c74218568a
1 changed files with 16 additions and 11 deletions
--- a/scripts/policy/protocols/ssh/interesting-hostnames.bro
+++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro
@ -27,21 +27,26 @@ export {
 			/^ftp[0-9]*\./  &redef;
 }

-event ssh_auth_successful(c: connection, auth_method_none: bool)
+function check_ssh_hostname(id: conn_id, uid: string, host: addr)
 	{
-	for ( host in set(c$id$orig_h, c$id$resp_h) )
+	when ( local hostname = lookup_addr(host) )
 		{
-		when ( local hostname = lookup_addr(host) )
+		if ( interesting_hostnames in hostname )
 			{
-			if ( interesting_hostnames in hostname )
-				{
-				NOTICE([$note=Interesting_Hostname_Login,
-				        $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
-				                 Site::is_local_addr(host) ? "local" : "remote",
-				                 host == c$id$orig_h ? "client" : "server"),
-				        $sub=hostname, $conn=c]);
-				}
+			NOTICE([$note=Interesting_Hostname_Login,
+					$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
+							 Site::is_local_addr(host) ? "local" : "remote",
+							 host == id$orig_h ? "client" : "server"),
+					$sub=hostname, $id=id, $uid=uid]);
 			}
 		}
 	}

+event ssh_auth_successful(c: connection, auth_method_none: bool)
+	{
+	for ( host in set(c$id$orig_h, c$id$resp_h) )
+		{
+		check_ssh_hostname(c$id, c$uid, host);
+		}
+	}
+