From cb91a9c10157f8fc01397f5f638595e35231e283 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Wed, 29 Apr 2015 20:57:40 -0400 Subject: [PATCH] A small fix to ssh/geo-data.bro. ssh can now be unset for local-local or remote-remote, so make the script deal with this. --- scripts/base/protocols/ssh/main.bro | 4 ++-- scripts/policy/protocols/ssh/geo-data.bro | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index 6f76dcbb77..d9e1e2b3cf 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -118,7 +118,7 @@ event ssh_client_version(c: connection, version: string) c$ssh$version = 2; } -event ssh_auth_successful(c: connection, auth_method_none: bool) +event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5 { # TODO - what to do here? if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) ) @@ -146,7 +146,7 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5 } } -event ssh_auth_failed(c: connection) +event ssh_auth_failed(c: connection) &priority=5 { if ( !c?$ssh || ( c$ssh?$auth_success && !c$ssh$auth_success ) ) return; diff --git a/scripts/policy/protocols/ssh/geo-data.bro b/scripts/policy/protocols/ssh/geo-data.bro index feae86c8f6..9fe8b597b6 100644 --- a/scripts/policy/protocols/ssh/geo-data.bro +++ b/scripts/policy/protocols/ssh/geo-data.bro @@ -32,6 +32,9 @@ function get_location(c: connection): geo_location event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 { + if ( ! c$ssh?$direction ) + return; + # Add the location data to the SSH record. c$ssh$remote_location = get_location(c); @@ -47,6 +50,9 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 event ssh_auth_failed(c: connection) &priority=3 { + if ( ! c$ssh?$direction ) + return; + # Add the location data to the SSH record. c$ssh$remote_location = get_location(c); }