Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 10:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Addresses BIT-1831

Browse source 
There is apparently some situation where a field wasn't being populated
which resulted in a reporter messsage.

Thanks to the report from Chris Herdt!
This commit is contained in:
Seth Hall 2017-08-01 16:24:44 -04:00
parent 310ef6974f
commit dbac2b1abb
3 changed files with 17 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/protocols/ssh/main.bro
View file

@ -24,7 +24,7 @@ export {
## at least one, since some servers might support no authentication at all.
## It's important to note that not all of these are failures, since
## some servers require two-factor auth (e.g. password AND pubkey)
auth_attempts: count &log &optional;
auth_attempts: count &log &default=0;
## Direction of the connection. If the client was a local host
## logging into an external host, this would be OUTBOUND. INBOUND
## would be set for the opposite situation.
@ -185,13 +185,7 @@ event ssh_auth_attempted(c: connection, authenticated: bool) &priority=5
return;
c$ssh$auth_success = authenticated;
if ( c$ssh?$auth_attempts )
c$ssh$auth_attempts += 1;
else
{
c$ssh$auth_attempts = 1;
}
c$ssh$auth_attempts += 1;
if ( authenticated && disable_analyzer_after_detection )
disable_analyzer(c$id, c$ssh$analyzer_id);