mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 02:58:20 +00:00
Fixing documentation piece.
The interesting-hostname script has changed.
This commit is contained in:
Robin Sommer
parent
84bfd53e52
commit
d9ba7ea0dd
5 changed files with 61 additions and 26 deletions
20
CHANGES
20
CHANGES
|
|
@ -1,4 +1,24 @@
|
|||
|
||||
2.5-beta-54 | 2016-10-06 14:24:01 -0700
|
||||
|
||||
* Fixing documentation piece on the interesting-hostname script.
|
||||
(Robin Sommer)
|
||||
|
||||
* Use the deterministic bro_random() in a test, instead of os
|
||||
random(). (Johanna Amann)
|
||||
|
||||
* Adapt a test to an output change on FreeBSD 11.0. (Johanna Amann)
|
||||
|
||||
* Prevent loading version.bro during plugins.hooks test. (Johanna Amann)
|
||||
|
||||
* Add missing path canonifier to version test. (Johanna Amann)
|
||||
|
||||
* Update documentation license. (Johanna Amann)
|
||||
|
||||
* Improve the SMB documentation. (Vlad Grigorescu)
|
||||
|
||||
* Add script API to access Bro version information. (Johanna Amann)
|
||||
|
||||
2.5-beta-35 | 2016-10-02 17:38:31 -0400
|
||||
|
||||
* Normalize http host in seen script. (Johanna Amann)
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
2.5-beta-35
|
||||
2.5-beta-54
|
||||
|
|
|
|||
|
|
@ -1116,7 +1116,7 @@ Policy, but the script attempts to supply as much information as
|
|||
possible while staying concise.
|
||||
|
||||
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ssh/interesting-hostnames.bro
|
||||
:lines: 1-46
|
||||
:lines: 1-52
|
||||
|
||||
While much of the script relates to the actual detection, the parts
|
||||
specific to the Notice Framework are actually quite interesting in
|
||||
|
|
@ -1124,8 +1124,11 @@ themselves. The script's ``export`` block adds the value
|
|||
``SSH::Interesting_Hostname_Login`` to the enumerable constant
|
||||
``Notice::Type`` to indicate to the Bro core that a new type of notice
|
||||
is being defined. The script then calls ``NOTICE`` and defines the
|
||||
``$note``, ``$msg``, ``$sub`` and ``$conn`` fields of the
|
||||
:bro:type:`Notice::Info` record. There are two ternary if
|
||||
``$note``, ``$msg``, ``$sub``, ``id``, and ``$uid`` fields of the
|
||||
:bro:type:`Notice::Info` record. (More commonly, one would set
|
||||
``$conn`` instead, however this script avoids using the connection
|
||||
record inside the when-statement for performance reasons.)
|
||||
There are two ternary if
|
||||
statements that modify the ``$msg`` text depending on whether the
|
||||
host is a local address and whether it is the client or the server.
|
||||
This use of :bro:id:`fmt` and ternary operators is a concise way to
|
||||
|
|
|
|||
|
|
@ -31,20 +31,26 @@ export {
|
|||
/^ftp[0-9]*\./ &redef;
|
||||
}
|
||||
|
||||
function check_ssh_hostname(id: conn_id, uid: string, host: addr)
|
||||
{
|
||||
when ( local hostname = lookup_addr(host) )
|
||||
{
|
||||
if ( interesting_hostnames in hostname )
|
||||
{
|
||||
NOTICE([$note=Interesting_Hostname_Login,
|
||||
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
|
||||
Site::is_local_addr(host) ? "local" : "remote",
|
||||
host == id$orig_h ? "client" : "server"),
|
||||
$sub=hostname, $id=id, $uid=uid]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
event ssh_auth_successful(c: connection, auth_method_none: bool)
|
||||
{
|
||||
for ( host in set(c$id$orig_h, c$id$resp_h) )
|
||||
{
|
||||
when ( local hostname = lookup_addr(host) )
|
||||
{
|
||||
if ( interesting_hostnames in hostname )
|
||||
{
|
||||
NOTICE([$note=Interesting_Hostname_Login,
|
||||
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
|
||||
Site::is_local_addr(host) ? "local" : "remote",
|
||||
host == c$id$orig_h ? "client" : "server"),
|
||||
$sub=hostname, $conn=c]);
|
||||
}
|
||||
}
|
||||
check_ssh_hostname(c$id, c$uid, host);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -31,20 +31,26 @@ export {
|
|||
/^ftp[0-9]*\./ &redef;
|
||||
}
|
||||
|
||||
function check_ssh_hostname(id: conn_id, uid: string, host: addr)
|
||||
{
|
||||
when ( local hostname = lookup_addr(host) )
|
||||
{
|
||||
if ( interesting_hostnames in hostname )
|
||||
{
|
||||
NOTICE([$note=Interesting_Hostname_Login,
|
||||
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
|
||||
Site::is_local_addr(host) ? "local" : "remote",
|
||||
host == id$orig_h ? "client" : "server"),
|
||||
$sub=hostname, $id=id, $uid=uid]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
event ssh_auth_successful(c: connection, auth_method_none: bool)
|
||||
{
|
||||
for ( host in set(c$id$orig_h, c$id$resp_h) )
|
||||
{
|
||||
when ( local hostname = lookup_addr(host) )
|
||||
{
|
||||
if ( interesting_hostnames in hostname )
|
||||
{
|
||||
NOTICE([$note=Interesting_Hostname_Login,
|
||||
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
|
||||
Site::is_local_addr(host) ? "local" : "remote",
|
||||
host == c$id$orig_h ? "client" : "server"),
|
||||
$sub=hostname, $conn=c]);
|
||||
}
|
||||
}
|
||||
check_ssh_hostname(c$id, c$uid, host);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue