Updates related to SSH analysis.

- Some scripts used wrong SSH module/namespace scoping on events. - Fix outdated notice documentation related to SSH password guessing. - Add a unit test for SSH pasword guessing notice.
2025-10-16 13:38:19 +00:00 · 2015-03-30 11:26:32 -05:00 · 2015-03-30 11:26:32 -05:00 · dcbd0819a6
commit dcbd0819a6
parent 97962d25f2
18 changed files with 112 additions and 22 deletions
--- a/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_notice_ssh_guesser_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-doc_frameworks_notice_ssh_guesser_bro/output
@ -0,0 +1,14 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+notice_ssh_guesser.bro
+
+
+@load protocols/ssh/detect-bruteforcing
+
+redef SSH::password_guesses_limit=10;
+
+hook Notice::policy(n: Notice::Info)
+	{
+	if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
+		add n$actions[Notice::ACTION_EMAIL];
+	}
--- a/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/output
+++ b/testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/output
@ -31,7 +31,7 @@ export {
 			/^ftp[0-9]*\./  &redef;
 }

-event SSH::heuristic_successful_login(c: connection)
+event ssh_auth_successful(c: connection, auth_method_none: bool)
 	{
 	for ( host in set(c$id$orig_h, c$id$resp_h) )
 		{
--- a/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
+++ b/testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1
@ -0,0 +1,26 @@
+.. rst-class:: btest-cmd
+
+    .. code-block:: none
+      :linenos:
+      :emphasize-lines: 1,1
+
+      # bro -C -r ssh/sshguess.pcap notice_ssh_guesser.bro
+
+.. rst-class:: btest-cmd
+
+    .. code-block:: none
+      :linenos:
+      :emphasize-lines: 1,1
+
+      # cat notice.log
+      #separator \x09
+      #set_separator	,
+      #empty_field	(empty)
+      #unset_field	-
+      #path	notice
+      #open	2015-03-30-16-20-23
+      #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+      #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+      1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_EMAIL,Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+      #close	2015-03-30-16-20-23
+
--- a/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log
@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	notice
+#open	2015-03-30-15-43-30
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
+#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	interval	bool	string	string	string	double	double
+1427726711.398575	-	-	-	-	-	-	-	-	-	SSH::Password_Guessing	192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections).	Sampled servers:  192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103	192.168.56.1	-	-	-	bro	Notice::ACTION_LOG	3600.000000	F	-	-	-	-	-
+#close	2015-03-30-15-43-30
--- a/testing/btest/Traces/ssh/sshguess.pcap
+++ b/testing/btest/Traces/ssh/sshguess.pcap
--- a/testing/btest/doc/sphinx/include-doc_frameworks_notice_ssh_guesser_bro.btest
+++ b/testing/btest/doc/sphinx/include-doc_frameworks_notice_ssh_guesser_bro.btest
@ -0,0 +1,14 @@
+# @TEST-EXEC: cat %INPUT >output && btest-diff output
+
+notice_ssh_guesser.bro
+
+
+@load protocols/ssh/detect-bruteforcing
+
+redef SSH::password_guesses_limit=10;
+
+hook Notice::policy(n: Notice::Info)
+	{
+	if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
+		add n$actions[Notice::ACTION_EMAIL];
+	}
--- a/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest
+++ b/testing/btest/doc/sphinx/include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest
@ -31,7 +31,7 @@ export {
 			/^ftp[0-9]*\./  &redef;
 }

-event SSH::heuristic_successful_login(c: connection)
+event ssh_auth_successful(c: connection, auth_method_none: bool)
 	{
 	for ( host in set(c$id$orig_h, c$id$resp_h) )
 		{
--- a/testing/btest/doc/sphinx/notice_ssh_guesser.bro.btest
+++ b/testing/btest/doc/sphinx/notice_ssh_guesser.bro.btest
@ -0,0 +1,2 @@
+@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro
+@TEST-EXEC: btest-rst-cmd cat notice.log
--- a/testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.bro
+++ b/testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.bro
@ -0,0 +1,5 @@
+# @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT
+# @TEST-EXEC: btest-diff notice.log
+
+@load protocols/ssh/detect-bruteforcing
+redef SSH::password_guesses_limit=10;