From c93b057a970bf1623c5a32901ea32f874aecb42f Mon Sep 17 00:00:00 2001
From: Aaron Eppert <aeppert@gmail.com>
Date: Sat, 5 Mar 2016 11:59:52 -0500
Subject: [PATCH] (BIT-1545) Add "disable_analyzer_after_detection" en lieu of
 "skip_processing_after_detection"

The default of "skip_processing_after_detection" is confusing and causes conn.log to not be written as one would assume, plus the counters are not incremented and thus some kinds of potential detections are short-changed. I propose adding "disable_analyzer_after_detection" which would react, on the surface, the same way by disabling the SSH analyzer, but allowing conn.log to be written appropriately.
---
 scripts/base/protocols/ssh/main.bro | 35 +++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro
index d9e1e2b3cf..3e1be2f66c 100644
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@@ -49,8 +49,13 @@ export {
 	## If true, we tell the event engine to not look at further data
 	## packets after the initial SSH handshake. Helps with performance
 	## (especially with large file transfers) but precludes some
-	## kinds of analyses. Defaults to T.
-	const skip_processing_after_detection = T &redef;
+	## kinds of analyses. Defaults to F.
+	const skip_processing_after_detection = F &redef;
+	
+	## If true, after detection the analyzer will be disabled and the
+    	## flow data will continue, thus a conn.log will be written with
+    	## appropriate counter increments. Defaults to T.
+	const disable_analyzer_after_detection = T &redef;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
@@ -70,6 +75,8 @@ redef record Info += {
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
+	## Analzyer ID
+    	analyzer_id: count         &optional;
 };
 
 redef record connection += {
@@ -83,6 +90,11 @@ event bro_init() &priority=5
 	{
 	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
 	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]);
+	
+	if ( skip_processing_after_detection && disable_analyzer_after_detection )
+    		{
+        	Reporter::warning(fmt("SSH::bro_init - skip_processing_after_detection and disable_analyzer_after_detection both enabled!"));
+    		}
 	}
 
 function set_session(c: connection)
@@ -135,6 +147,11 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 		skip_further_processing(c$id);
 		set_record_packets(c$id, F);
 		}
+		
+	if ( disable_analyzer_after_detection ) 
+        	{
+        	disable_analyzer(c$id, c$ssh$analyzer_id);
+        	}
 	}
 
 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@@ -233,3 +250,17 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
+	
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+    {
+        if ( atype == Analyzer::ANALYZER_SSH ) 
+        {
+            if ( ! c?$ssh ) 
+            {
+                local s: Info;
+                c$ssh = s;
+            }
+
+            c$ssh$analyzer_id = aid;
+        }
+    }