Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Updates related to SSH analysis.

Browse source 
- Some scripts used wrong SSH module/namespace scoping on events.
- Fix outdated notice documentation related to SSH password guessing.
- Add a unit test for SSH pasword guessing notice.
This commit is contained in:
Jon Siwek 2015-03-30 11:26:32 -05:00
parent 97962d25f2
commit dcbd0819a6
18 changed files with 112 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

8
CHANGES
View file

@ -1,4 +1,12 @@
2.3-636 | 2015-03-30 11:26:32 -0500
* Updates related to SSH analysis. (Jon Siwek)
- Some scripts used wrong SSH module/namespace scoping on events.
- Fix outdated notice documentation related to SSH password guessing.
- Add a unit test for SSH pasword guessing notice.
2.3-635 | 2015-03-30 11:02:45 -0500 2.3-635 | 2015-03-30 11:02:45 -0500
* Fix outdated documentation unit tests. (Jon Siwek) * Fix outdated documentation unit tests. (Jon Siwek)

4
NEWS
View file

@ -30,7 +30,7 @@ New Functionality
- Bro now features a completely rewritten, enhanced SSH analyzer. A lot - Bro now features a completely rewritten, enhanced SSH analyzer. A lot
more information about SSH sessions is logged. The analyzer is able to more information about SSH sessions is logged. The analyzer is able to
determine if logins failed or succeeded in most circumstances. determine if logins failed or succeeded in most circumstances.
- Bro's file analysis now supports reassembly of files that are not - Bro's file analysis now supports reassembly of files that are not
transferred/seen sequentially. transferred/seen sequentially.
@ -123,6 +123,8 @@ Changed Functionality
explicitly set. Before, the default path function would always be set explicitly set. Before, the default path function would always be set
for all filters which didn't specify their own ``path_func``. for all filters which didn't specify their own ``path_func``.
- TODO: what SSH events got changed or removed?
Deprecated Functionality Deprecated Functionality
------------------------ ------------------------

2
VERSION
View file

@ -1 +1 @@
2.3-635 2.3-636

21
doc/frameworks/notice.rst
View file

@ -88,15 +88,15 @@ directly make modifications to the :bro:see:`Notice::Info` record
given as the argument to the hook. given as the argument to the hook.
Here's a simple example which tells Bro to send an email for all notices of Here's a simple example which tells Bro to send an email for all notices of
type :bro:see:`SSH::Password_Guessing` if the server is 10.0.0.1: type :bro:see:`SSH::Password_Guessing` if the guesser attempted to log in to
the server at 192.168.56.103:
.. code:: bro .. btest-include:: ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro
hook Notice::policy(n: Notice::Info) .. btest:: notice_ssh_guesser.bro
{
if ( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1 ) @TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro
add n$actions[Notice::ACTION_EMAIL]; @TEST-EXEC: btest-rst-cmd cat notice.log
}
.. note:: .. note::
@ -111,10 +111,9 @@ a hook body to run before default hook bodies might look like this:
.. code:: bro .. code:: bro
hook Notice::policy(n: Notice::Info) &priority=5 hook Notice::policy(n: Notice::Info) &priority=5
{ {
if ( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1 ) # Insert your code here.
add n$actions[Notice::ACTION_EMAIL]; }
}
Hooks can also abort later hook bodies with the ``break`` keyword. This Hooks can also abort later hook bodies with the ``break`` keyword. This
is primarily useful if one wants to completely preempt processing by is primarily useful if one wants to completely preempt processing by

10
doc/frameworks/notice_ssh_guesser.bro Normal file
View file

@ -0,0 +1,10 @@
@load protocols/ssh/detect-bruteforcing
redef SSH::password_guesses_limit=10;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
add n$actions[Notice::ACTION_EMAIL];
}

4
scripts/base/protocols/ssh/main.bro
View file

@ -57,8 +57,8 @@ export {
global log_ssh: event(rec: Info); global log_ssh: event(rec: Info);
## Event that can be handled when the analyzer sees an SSH server host ## Event that can be handled when the analyzer sees an SSH server host
## key. This abstracts :bro:id:`SSH::ssh1_server_host_key` and ## key. This abstracts :bro:id:`ssh1_server_host_key` and
## :bro:id:`SSH::ssh2_server_host_key`. ## :bro:id:`ssh2_server_host_key`.
global ssh_server_host_key: event(c: connection, hash: string); global ssh_server_host_key: event(c: connection, hash: string);
} }

4
scripts/policy/protocols/ssh/detect-bruteforcing.bro
View file

@ -69,7 +69,7 @@ event bro_init()
}]); }]);
} }
event SSH::ssh_auth_successful(c: connection, auth_method_none: bool) event ssh_auth_successful(c: connection, auth_method_none: bool)
{ {
local id = c$id; local id = c$id;
@ -78,7 +78,7 @@ event SSH::ssh_auth_successful(c: connection, auth_method_none: bool)
$where=SSH::SUCCESSFUL_LOGIN]); $where=SSH::SUCCESSFUL_LOGIN]);
} }
event SSH::ssh_auth_failed(c: connection) event ssh_auth_failed(c: connection)
{ {
local id = c$id; local id = c$id;

4
scripts/policy/protocols/ssh/geo-data.bro
View file

@ -30,7 +30,7 @@ function get_location(c: connection): geo_location
return lookup_location(lookup_ip); return lookup_location(lookup_ip);
} }
event SSH::ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
{ {
# Add the location data to the SSH record. # Add the location data to the SSH record.
c$ssh$remote_location = get_location(c); c$ssh$remote_location = get_location(c);
@ -45,7 +45,7 @@ event SSH::ssh_auth_successful(c: connection, auth_method_none: bool) &priority=
} }
} }
event SSH::ssh_auth_failed(c: connection) &priority=3 event ssh_auth_failed(c: connection) &priority=3
{ {
# Add the location data to the SSH record. # Add the location data to the SSH record.
c$ssh$remote_location = get_location(c); c$ssh$remote_location = get_location(c);

2
scripts/policy/protocols/ssh/interesting-hostnames.bro
View file

@ -27,7 +27,7 @@ export {
/^ftp[0-9]*\./ &redef; /^ftp[0-9]*\./ &redef;
} }
event SSH::ssh_auth_successful(c: connection, auth_method_none: bool) event ssh_auth_successful(c: connection, auth_method_none: bool)
{ {
for ( host in set(c$id$orig_h, c$id$resp_h) ) for ( host in set(c$id$orig_h, c$id$resp_h) )
{ {

14
testing/btest/Baseline/doc.sphinx.include-doc_frameworks_notice_ssh_guesser_bro/output Normal file
View file

@ -0,0 +1,14 @@
# @TEST-EXEC: cat %INPUT >output && btest-diff output
notice_ssh_guesser.bro
@load protocols/ssh/detect-bruteforcing
redef SSH::password_guesses_limit=10;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
add n$actions[Notice::ACTION_EMAIL];
}

2
testing/btest/Baseline/doc.sphinx.include-scripts_policy_protocols_ssh_interesting-hostnames_bro/output
View file

@ -31,7 +31,7 @@ export {
/^ftp[0-9]*\./ &redef; /^ftp[0-9]*\./ &redef;
} }
event SSH::heuristic_successful_login(c: connection) event ssh_auth_successful(c: connection, auth_method_none: bool)
{ {
for ( host in set(c$id$orig_h, c$id$resp_h) ) for ( host in set(c$id$orig_h, c$id$resp_h) )
{ {

26
testing/btest/Baseline/doc.sphinx.notice_ssh_guesser.bro/btest-doc.sphinx.notice_ssh_guesser.bro#1 Normal file
View file

@ -0,0 +1,26 @@
.. rst-class:: btest-cmd
.. code-block:: none
:linenos:
:emphasize-lines: 1,1
# bro -C -r ssh/sshguess.pcap notice_ssh_guesser.bro
.. rst-class:: btest-cmd
.. code-block:: none
:linenos:
:emphasize-lines: 1,1
# cat notice.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2015-03-30-16-20-23
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1427726711.398575 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - bro Notice::ACTION_EMAIL,Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2015-03-30-16-20-23

10
testing/btest/Baseline/scripts.policy.protocols.ssh.detect-bruteforcing/notice.log Normal file
View file

@ -0,0 +1,10 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2015-03-30-15-43-30
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1427726711.398575 - - - - - - - - - SSH::Password_Guessing 192.168.56.1 appears to be guessing SSH passwords (seen in 10 connections). Sampled servers: 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103, 192.168.56.103 192.168.56.1 - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2015-03-30-15-43-30

BIN
testing/btest/Traces/ssh/sshguess.pcap Normal file
View file

Binary file not shown.

14
testing/btest/doc/sphinx/include-doc_frameworks_notice_ssh_guesser_bro.btest Normal file
View file

@ -0,0 +1,14 @@
# @TEST-EXEC: cat %INPUT >output && btest-diff output
notice_ssh_guesser.bro
@load protocols/ssh/detect-bruteforcing
redef SSH::password_guesses_limit=10;
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && /192\.168\.56\.103/ in n$sub )
add n$actions[Notice::ACTION_EMAIL];
}

2
testing/btest/doc/sphinx/include-scripts_policy_protocols_ssh_interesting-hostnames_bro.btest
View file

@ -31,7 +31,7 @@ export {
/^ftp[0-9]*\./ &redef; /^ftp[0-9]*\./ &redef;
} }
event SSH::heuristic_successful_login(c: connection) event ssh_auth_successful(c: connection, auth_method_none: bool)
{ {
for ( host in set(c$id$orig_h, c$id$resp_h) ) for ( host in set(c$id$orig_h, c$id$resp_h) )
{ {

2
testing/btest/doc/sphinx/notice_ssh_guesser.bro.btest Normal file
View file

@ -0,0 +1,2 @@
@TEST-EXEC: btest-rst-cmd bro -C -r ${TRACES}/ssh/sshguess.pcap ${DOC_ROOT}/frameworks/notice_ssh_guesser.bro
@TEST-EXEC: btest-rst-cmd cat notice.log

5
testing/btest/scripts/policy/protocols/ssh/detect-bruteforcing.bro Normal file
View file

@ -0,0 +1,5 @@
# @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT
# @TEST-EXEC: btest-diff notice.log
@load protocols/ssh/detect-bruteforcing
redef SSH::password_guesses_limit=10;