Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-09 10:08:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Some cleanup and refactoring on SSH main.bro.

Browse source 
Specifically, an overhaul of how the algorithm negotiation is
calculated, to simplify a lot of the code.
This commit is contained in:
Vlad Grigorescu 2015-03-09 16:04:35 -04:00
parent 8ca0067363
commit d9b4693240
4 changed files with 125 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

171
scripts/base/protocols/ssh/main.bro
View file

@ -1,56 +1,51 @@
##! Implements base functionality for SSH analysis. Generates the ssh.log file.
@load base/utils/directions-and-hosts
module SSH;
export {
## The SSH protocol logging stream identifier.
redef enum Log::ID += { LOG };
type Info: record {
## Timestamp for when the event happened.
ts: time &log;
## Time when the SSH connection began.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
id: conn_id &log;
## SSH major version (1 or 2)
version: count &log;
## Auth result
auth_success: bool &log &optional;
## Auth details
auth_details: string &log &optional;
version: count &log;
## Authentication result (T=success, F=failure, unset=unknown)
auth_success: bool &log &optional;
## Direction of the connection. If the client was a local host
## logging into an external host, this would be OUTBOUND. INBOUND
## would be set for the opposite situation.
## TODO: handle local-local and remote-remote better.
direction: Direction &log &optional;
## The encryption algorithm in use
cipher_alg: string &log &optional;
## The signing (MAC) algorithm in use
mac_alg: string &log &optional;
## The compression algorithm in use
compression_alg: string &log &optional;
## The key exchange algorithm in use
kex_alg: string &log &optional;
## The server host key's algorithm
host_key_alg: string &log &optional;
## The server's key fingerprint
host_key: string &log &optional;
# TODO - handle local-local and remote-remote better.
direction: Direction &log &optional;
## The client's version string
client: string &log &optional;
client: string &log &optional;
## The server's version string
server: string &log &optional;
## This connection has been logged (internal use)
logged: bool &default=F;
## Number of failures seen (internal use)
num_failures: count &default=0;
## Store capabilities from the first host for
## comparison with the second (internal use)
capabilities: Capabilities &optional;
server: string &log &optional;
## The encryption algorithm in use
cipher_alg: string &log &optional;
## The signing (MAC) algorithm in use
mac_alg: string &log &optional;
## The compression algorithm in use
compression_alg: string &log &optional;
## The key exchange algorithm in use
kex_alg: string &log &optional;
## The server host key's algorithm
host_key_alg: string &log &optional;
## The server's key fingerprint
host_key: string &log &optional;
};
## The set of compression algorithms. We can't accurately determine
## authentication success or failure when compression is enabled.
const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
## If true, we tell the event engine to not look at further data
## packets after the initial SSH handshake. Helps with performance
## (especially with large file transfers) but precludes some
@ -62,6 +57,16 @@ export {
global log_ssh: event(rec: Info);
}
redef record Info += {
## This connection has been logged (internal use)
logged: bool &default=F;
## Number of failures seen (internal use)
num_failures: count &default=0;
## Store capabilities from the first host for
## comparison with the second (internal use)
capabilities: Capabilities &optional;
};
redef record connection += {
ssh: Info &optional;
};
@ -72,52 +77,47 @@ event bro_init() &priority=5
}
function init_record(c: connection)
function set_session(c: connection)
{
local s: SSH::Info;
s$ts = network_time();
s$uid = c$uid;
s$id = c$id;
c$ssh = s;
if ( ! c?$ssh )
{
local info: SSH::Info;
info$ts = network_time();
info$uid = c$uid;
info$id = c$id;
c$ssh = info;
}
}
event ssh_server_version(c: connection, version: string)
{
if ( !c?$ssh )
init_record(c);
set_session(c);
c$ssh$server = version;
}
event ssh_client_version(c: connection, version: string)
{
if ( !c?$ssh )
init_record(c);
set_session(c);
c$ssh$client = version;
if ( version[4] == "1" )
if ( ( |version| > 3 ) && ( version[4] == "1" ) )
c$ssh$version = 1;
if ( version[4] == "2" )
if ( ( |version| > 3 ) && ( version[4] == "2" ) )
c$ssh$version = 2;
}
event ssh_auth_successful(c: connection, auth_method_none: bool)
{
# TODO - what to do here?
if ( !c?$ssh || ( c$ssh?$auth_success && c$ssh$auth_success ) )
return;
# We can't accurately tell for compressed streams
if ( c$ssh?$compression_alg && ( c$ssh$compression_alg == "zlib@openssh.com" ||
c$ssh$compression_alg == "zlib" ) )
if ( c$ssh?$compression_alg && ( c$ssh$compression_alg in compression_algorithms ) )
return;
c$ssh$auth_success = T;
if ( auth_method_none )
c$ssh$auth_details = "method: none";
if ( skip_processing_after_detection)
{
skip_further_processing(c$id);
@ -140,39 +140,30 @@ event ssh_auth_failed(c: connection)
return;
# We can't accurately tell for compressed streams
if ( c$ssh?$compression_alg && ( c$ssh$compression_alg == "zlib@openssh.com" ||
c$ssh$compression_alg == "zlib" ) )
if ( c$ssh?$compression_alg && ( c$ssh$compression_alg == "zlib@openssh.com" || c$ssh$compression_alg == "zlib" ) )
return;
c$ssh$auth_success = F;
c$ssh$num_failures += 1;
}
function array_to_vec(s: string_array): vector of string
{
local r: vector of string;
for (i in s)
r[i] = s[i];
return r;
}
function find_client_preferred_algorithm(client_algorithms: vector of string, server_algorithms: vector of string): string
# Determine the negotiated algorithm
function find_alg(client_algorithms: vector of string, server_algorithms: vector of string): string
{
for ( i in client_algorithms )
for ( j in server_algorithms )
if ( client_algorithms[i] == server_algorithms[j] )
return client_algorithms[i];
}
function find_client_preferred_algorithm_bidirectional(client_algorithms_c_to_s: vector of string,
server_algorithms_c_to_s: vector of string,
client_algorithms_s_to_c: vector of string,
server_algorithms_s_to_c: vector of string): string
{
local c_to_s = find_client_preferred_algorithm(client_algorithms_c_to_s, server_algorithms_c_to_s);
local s_to_c = find_client_preferred_algorithm(client_algorithms_s_to_c, server_algorithms_s_to_c);
# This is a simple wrapper around find_alg for cases where client to server and server to client
# negotiate different algorithms. This is rare, but provided for completeness.
function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Algorithm_Prefs): string
{
local c_to_s = find_alg(client_prefs$client_to_server, server_prefs$client_to_server);
local s_to_c = find_alg(client_prefs$server_to_client, server_prefs$server_to_client);
# Usually these are the same, but if they're not, return the details
return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c);
}
@ -190,33 +181,21 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
local client_caps = capabilities$is_server ? c$ssh$capabilities : capabilities;
local server_caps = capabilities$is_server ? capabilities : c$ssh$capabilities;
c$ssh$cipher_alg = find_client_preferred_algorithm_bidirectional(client_caps$encryption_algorithms_client_to_server,
server_caps$encryption_algorithms_client_to_server,
client_caps$encryption_algorithms_server_to_client,
server_caps$encryption_algorithms_server_to_client);
c$ssh$mac_alg = find_client_preferred_algorithm_bidirectional(client_caps$mac_algorithms_client_to_server,
server_caps$mac_algorithms_client_to_server,
client_caps$mac_algorithms_server_to_client,
server_caps$mac_algorithms_server_to_client);
c$ssh$compression_alg = find_client_preferred_algorithm_bidirectional(client_caps$compression_algorithms_client_to_server,
server_caps$compression_algorithms_client_to_server,
client_caps$compression_algorithms_server_to_client,
server_caps$compression_algorithms_server_to_client);
c$ssh$kex_alg = find_client_preferred_algorithm(client_caps$kex_algorithms, server_caps$kex_algorithms);
c$ssh$host_key_alg = find_client_preferred_algorithm(client_caps$server_host_key_algorithms,
server_caps$server_host_key_algorithms);
c$ssh$cipher_alg = find_bidirectional_alg(client_caps$encryption_algorithms,
server_caps$encryption_algorithms);
c$ssh$mac_alg = find_bidirectional_alg(client_caps$mac_algorithms,
server_caps$mac_algorithms);
c$ssh$compression_alg = find_bidirectional_alg(client_caps$compression_algorithms,
server_caps$compression_algorithms);
c$ssh$kex_alg = find_alg(client_caps$kex_algorithms, server_caps$kex_algorithms);
c$ssh$host_key_alg = find_alg(client_caps$server_host_key_algorithms,
server_caps$server_host_key_algorithms);
}
event connection_state_remove(c: connection) &priority=-5
{
if ( c?$ssh && !c$ssh$logged && c$ssh?$client && c$ssh?$server )
{
if ( c$ssh?$auth_success && !c$ssh$auth_success )
c$ssh$auth_details = fmt("%d failure%s", c$ssh$num_failures, c$ssh$num_failures == 1 ? "" : "s");
c$ssh$logged = T;
Log::write(SSH::LOG, c$ssh);
}