Merge remote-tracking branch 'origin/master' into topic/seth/dce_rpc_fixes

scripts/base/protocols/ssh/main.bro

@@ -20,6 +20,11 @@ export {
 		version:         count        &log;
 		## Authentication result (T=success, F=failure, unset=unknown)
 		auth_success:    bool         &log &optional;
+		## The number of authentication attemps we observed. There's always
+		## at least one, since some servers might support no authentication at all.
+		## It's important to note that not all of these are failures, since
+		## some servers require two-factor auth (e.g. password AND pubkey)
+		auth_attempts:   count        &log &optional;
 		## Direction of the connection. If the client was a local host
 		## logging into an external host, this would be OUTBOUND. INBOUND
 		## would be set for the opposite situation.
@@ -55,18 +60,68 @@ export {
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
 	global log_ssh: event(rec: Info);
+}
+
+module GLOBAL;
+export {
+	## This event is generated when an :abbr:`SSH (Secure Shell)`
+	## connection was determined to have had a failed authentication. This
+	## determination is based on packet size analysis, and errs on the
+	## side of caution - that is, if there's any doubt about the
+	## authentication failure, this event is *not* raised.
+	##
+	## This event is only raised once per connection.
+	##
+	## c: The connection over which the :abbr:`SSH (Secure Shell)`
+	##    connection took place.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_result ssh_auth_attempted
+	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
+	global ssh_auth_failed: event(c: connection);
+
+	## This event is generated when a determination has been made about
+	## the final authentication result of an :abbr:`SSH (Secure Shell)`
+	## connection. This determination is based on packet size analysis,
+	## and errs on the side of caution - that is, if there's any doubt
+	## about the result of the authentication, this event is *not* raised.
+	##
+	## This event is only raised once per connection.
+	##
+	## c: The connection over which the :abbr:`SSH (Secure Shell)`
+	##    connection took place.
+	##
+	## result: True if the authentication was successful, false if not.
+	##
+	## auth_attempts: The number of authentication attempts that were
+	##    observed.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_failed ssh_auth_attempted
+	##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
+	##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
+	global ssh_auth_result: event(c: connection, result: bool, auth_attempts: count);
 
 	## Event that can be handled when the analyzer sees an SSH server host
 	## key. This abstracts :bro:id:`ssh1_server_host_key` and
 	## :bro:id:`ssh2_server_host_key`.
+	##
+	## .. bro:see:: ssh_server_version ssh_client_version
+	##    ssh_auth_successful ssh_auth_failed ssh_auth_result
+	##    ssh_auth_attempted ssh_capabilities ssh2_server_host_key
+	##    ssh1_server_host_key ssh_encrypted_packet ssh2_dh_server_params
+	##    ssh2_gss_error ssh2_ecc_key
 	global ssh_server_host_key: event(c: connection, hash: string);
 }
 
+module SSH;
+
 redef record Info += {
 	# This connection has been logged (internal use)
 	logged:       bool         &default=F;
-	# Number of failures seen (internal use)
-	num_failures: count        &default=0;
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
@@ -120,9 +175,8 @@ event ssh_client_version(c: connection, version: string)
 		c$ssh$version = 2;
 	}
 
-event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
 	{
-	# TODO - what to do here?
 	if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) )
 		return;
 
@@ -130,34 +184,29 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 	if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
 		return;
 
-	c$ssh$auth_success = T;
+	c$ssh$auth_success = authenticated;
 
-	if ( disable_analyzer_after_detection )
+	if ( c$ssh?$auth_attempts )
+		c$ssh$auth_attempts += 1;
+	else
+		{
+		c$ssh$auth_attempts = 1;
+		}
+
+	if ( authenticated && disable_analyzer_after_detection )
 		disable_analyzer(c$id, c$ssh$analyzer_id);
 	}
 
-event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
+event ssh_auth_attempted(c: connection, authenticated: bool) &priority=-5
 	{
-	if ( c?$ssh && !c$ssh$logged )
+	if ( authenticated && c?$ssh && !c$ssh$logged )
 		{
+		event ssh_auth_result(c, authenticated, c$ssh$auth_attempts);
 		c$ssh$logged = T;
 		Log::write(SSH::LOG, c$ssh);
 		}
 	}
 
-event ssh_auth_failed(c: connection) &priority=5
-	{
-	if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) )
-		return;
-
-	# We can't accurately tell for compressed streams
-	if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
-		return;
-
-	c$ssh$auth_success = F;
-	c$ssh$num_failures += 1;
-	}
-
 # Determine the negotiated algorithm
 function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string
 	{
@@ -204,15 +253,42 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
 	                                 server_caps$server_host_key_algorithms);
 	}
 
-event connection_state_remove(c: connection) &priority=-5
+event connection_state_remove(c: connection)
 	{
-	if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server )
+	if ( c?$ssh && !c$ssh$logged )
 		{
-		c$ssh$logged = T;
-		Log::write(SSH::LOG, c$ssh);
+		# Do we have enough information to make a determination about auth success?
+		if ( c$ssh?$client && c$ssh?$server && c$ssh?$auth_success )
+			{
+			# Successes get logged immediately. To protect against a race condition, we'll double check:
+			if ( c$ssh$auth_success )
+				return;
+
+			# Now that we know it's a failure, we'll raise the event.
+			event ssh_auth_failed(c);
+			}
+		# If not, we'll just log what we have
+		else
+			{
+			c$ssh$logged = T;
+			Log::write(SSH::LOG, c$ssh);
+			}
 		}
 	}
 
+event ssh_auth_failed(c: connection) &priority=-5
+	{
+	# This should not happen; prevent double-logging just in case
+	if ( ! c?$ssh || c$ssh$logged )
+		return;
+
+	c$ssh$logged = T;
+	Log::write(SSH::LOG, c$ssh);
+
+	event ssh_auth_result(c, F, c$ssh$auth_attempts);
+	}
+
+
 function generate_fingerprint(c: connection, key: string)
 	{
 	if ( !c?$ssh )
@@ -235,7 +311,7 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
 	{
-		if ( atype == Analyzer::ANALYZER_SSH )
+	if ( atype == Analyzer::ANALYZER_SSH )
 		{
 		set_session(c);
 		c$ssh$analyzer_id = aid;