Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

(BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection"

Browse source 
The default of "skip_processing_after_detection" is confusing and causes conn.log to not be written as one would assume, plus the counters are not incremented and thus some kinds of potential detections are short-changed. I propose adding "disable_analyzer_after_detection" which would react, on the surface, the same way by disabling the SSH analyzer, but allowing conn.log to be written appropriately.
This commit is contained in:
Aaron Eppert 2016-03-05 11:59:52 -05:00
parent 8cf5cbdbcf
commit c93b057a97
1 changed files with 33 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

35
scripts/base/protocols/ssh/main.bro
View file

@ -49,8 +49,13 @@ export {
## If true, we tell the event engine to not look at further data ## If true, we tell the event engine to not look at further data
## packets after the initial SSH handshake. Helps with performance ## packets after the initial SSH handshake. Helps with performance
## (especially with large file transfers) but precludes some ## (especially with large file transfers) but precludes some
## kinds of analyses. Defaults to T. ## kinds of analyses. Defaults to F.
const skip_processing_after_detection = T &redef; const skip_processing_after_detection = F &redef;
## If true, after detection the analyzer will be disabled and the
## flow data will continue, thus a conn.log will be written with
## appropriate counter increments. Defaults to T.
const disable_analyzer_after_detection = T &redef;
## Event that can be handled to access the SSH record as it is sent on ## Event that can be handled to access the SSH record as it is sent on
## to the logging framework. ## to the logging framework.
@ -70,6 +75,8 @@ redef record Info += {
# Store capabilities from the first host for # Store capabilities from the first host for
# comparison with the second (internal use) # comparison with the second (internal use)
capabilities: Capabilities &optional; capabilities: Capabilities &optional;
## Analzyer ID
analyzer_id: count &optional;
}; };
redef record connection += { redef record connection += {
@ -83,6 +90,11 @@ event bro_init() &priority=5
{ {
Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports); Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]); Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh, $path="ssh"]);
if ( skip_processing_after_detection && disable_analyzer_after_detection )
{
Reporter::warning(fmt("SSH::bro_init - skip_processing_after_detection and disable_analyzer_after_detection both enabled!"));
}
} }
function set_session(c: connection) function set_session(c: connection)
@ -135,6 +147,11 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
skip_further_processing(c$id); skip_further_processing(c$id);
set_record_packets(c$id, F); set_record_packets(c$id, F);
} }
if ( disable_analyzer_after_detection )
{
disable_analyzer(c$id, c$ssh$analyzer_id);
}
} }
event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@ -233,3 +250,17 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
{ {
generate_fingerprint(c, key); generate_fingerprint(c, key);
} }
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
{
if ( atype == Analyzer::ANALYZER_SSH )
{
if ( ! c?$ssh )
{
local s: Info;
c$ssh = s;
}
c$ssh$analyzer_id = aid;
}
}