Updates related to SSH analysis.

- Some scripts used wrong SSH module/namespace scoping on events. - Fix outdated notice documentation related to SSH password guessing. - Add a unit test for SSH pasword guessing notice.
2025-10-11 19:18:19 +00:00 · 2015-03-30 11:26:32 -05:00 · 2015-03-30 11:26:32 -05:00 · dcbd0819a6
commit dcbd0819a6
parent 97962d25f2
18 changed files with 112 additions and 22 deletions
--- a/scripts/base/protocols/ssh/main.bro
+++ b/scripts/base/protocols/ssh/main.bro
@ -57,8 +57,8 @@ export {
 	global log_ssh: event(rec: Info);

 	## Event that can be handled when the analyzer sees an SSH server host
-	## key. This abstracts :bro:id:`SSH::ssh1_server_host_key` and 
-	## :bro:id:`SSH::ssh2_server_host_key`.
+	## key. This abstracts :bro:id:`ssh1_server_host_key` and
+	## :bro:id:`ssh2_server_host_key`.
 	global ssh_server_host_key: event(c: connection, hash: string);
 }

--- a/scripts/policy/protocols/ssh/detect-bruteforcing.bro
+++ b/scripts/policy/protocols/ssh/detect-bruteforcing.bro
@ -69,7 +69,7 @@ event bro_init()
 	                  	}]);
 	}

-event SSH::ssh_auth_successful(c: connection, auth_method_none: bool)
+event ssh_auth_successful(c: connection, auth_method_none: bool)
 	{
 	local id = c$id;

@ -78,7 +78,7 @@ event SSH::ssh_auth_successful(c: connection, auth_method_none: bool)
 	             $where=SSH::SUCCESSFUL_LOGIN]);
 	}

-event SSH::ssh_auth_failed(c: connection)
+event ssh_auth_failed(c: connection)
 	{
 	local id = c$id;

--- a/scripts/policy/protocols/ssh/geo-data.bro
+++ b/scripts/policy/protocols/ssh/geo-data.bro
@ -30,7 +30,7 @@ function get_location(c: connection): geo_location
 	return lookup_location(lookup_ip);
 	}

-event SSH::ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
+event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
 	{
 	# Add the location data to the SSH record.
 	c$ssh$remote_location = get_location(c);
@ -45,7 +45,7 @@ event SSH::ssh_auth_successful(c: connection, auth_method_none: bool) &priority=
 		}
 	}

-event SSH::ssh_auth_failed(c: connection) &priority=3
+event ssh_auth_failed(c: connection) &priority=3
 	{
 	# Add the location data to the SSH record.
 	c$ssh$remote_location = get_location(c);
--- a/scripts/policy/protocols/ssh/interesting-hostnames.bro
+++ b/scripts/policy/protocols/ssh/interesting-hostnames.bro
@ -27,7 +27,7 @@ export {
 			/^ftp[0-9]*\./  &redef;
 }

-event SSH::ssh_auth_successful(c: connection, auth_method_none: bool)
+event ssh_auth_successful(c: connection, auth_method_none: bool)
 	{
 	for ( host in set(c$id$orig_h, c$id$resp_h) )
 		{