diff --git a/CHANGES b/CHANGES index 3298e6fbe1..62a07a4993 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,12 @@ +2.4-307 | 2016-03-07 13:33:45 -0800 + + * Add "disable_analyzer_after_detection" and remove + "skip_processing_after_detection". Addresses BIT-1545. + (Aaron Eppert & Johanna Amann) + + * Add bad_HTTP_request_with_version weird (William Glodek) + 2.4-299 | 2016-03-04 12:51:55 -0800 * More detailed installation instructions for FreeBSD 9.X. (Johanna Amann) diff --git a/NEWS b/NEWS index e8c0268644..fecf7ad336 100644 --- a/NEWS +++ b/NEWS @@ -51,6 +51,9 @@ New Functionality Changed Functionality --------------------- +- ``SSH::skip_processing_after_detection`` was removed. The functionality was + replaced by ``SSH::disable_analyzer_after_detection``. + - Some script-level identifier have changed their names: snaplen -> Pcap::snaplen diff --git a/VERSION b/VERSION index bfdb465c2d..633b8e97fc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4-299 +2.4-307 diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro index d9e1e2b3cf..fad2da0b8e 100644 --- a/scripts/base/protocols/ssh/main.bro +++ b/scripts/base/protocols/ssh/main.bro @@ -46,11 +46,10 @@ export { ## authentication success or failure when compression is enabled. const compression_algorithms = set("zlib", "zlib@openssh.com") &redef; - ## If true, we tell the event engine to not look at further data - ## packets after the initial SSH handshake. Helps with performance - ## (especially with large file transfers) but precludes some - ## kinds of analyses. Defaults to T. - const skip_processing_after_detection = T &redef; + ## If true, after detection detach the SSH analyzer from the connection + ## to prevent continuing to process encrypted traffic. Helps with performance + ## (especially with large file transfers). + const disable_analyzer_after_detection = T &redef; ## Event that can be handled to access the SSH record as it is sent on ## to the logging framework. @@ -70,6 +69,8 @@ redef record Info += { # Store capabilities from the first host for # comparison with the second (internal use) capabilities: Capabilities &optional; + ## Analzyer ID + analyzer_id: count &optional; }; redef record connection += { @@ -130,11 +131,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5 c$ssh$auth_success = T; - if ( skip_processing_after_detection) - { - skip_further_processing(c$id); - set_record_packets(c$id, F); - } + if ( disable_analyzer_after_detection ) + disable_analyzer(c$id, c$ssh$analyzer_id); } event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5 @@ -179,7 +177,7 @@ function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Alg # Usually these are the same, but if they're not, return the details return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c); } - + event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities) { if ( !c?$ssh || ( c$ssh?$capabilities && c$ssh$capabilities$is_server == capabilities$is_server ) ) @@ -233,3 +231,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5 { generate_fingerprint(c, key); } + +event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20 + { + if ( atype == Analyzer::ANALYZER_SSH ) + { + set_session(c); + c$ssh$analyzer_id = aid; + } + } diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log new file mode 100644 index 0000000000..9362c3742e --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log @@ -0,0 +1,34 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2016-03-07-21-31-43 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1324071333.493287 CXWv6p3arKYeMETxOg 192.168.1.79 51880 131.159.21.1 22 tcp ssh 6.159326 2669 2501 SF - - 0 ShAdDaFf 25 3981 20 3549 (empty) +1409516196.337184 CjhGID4nQcgTWjvg4c 10.0.0.18 40184 128.2.6.88 41644 tcp ssh 0.392307 3205 2129 S1 - - 0 ShADad 12 3837 12 2761 (empty) +1419870206.101883 CsRx2w45OKnoww6xl4 192.168.2.1 57191 192.168.2.158 22 tcp ssh 3.862198 576 813 SF - - 0 ShAdDaFf 23 1784 16 1653 (empty) +1419870189.485611 CCvvfg3TEfuqmmG4bh 192.168.2.1 57189 192.168.2.158 22 tcp ssh 5.267866 4601 2805 S1 - - 0 ShADad 22 5757 18 3749 (empty) +1419996264.318569 CRJuHdVW0XPVINV8a 192.168.2.1 55179 192.168.2.158 2200 tcp ssh 1.124642 1909 1161 S1 - - 0 ShADad 16 2753 12 1793 (empty) +1420588548.721272 CPbrpk1qSsw6ESzHV4 192.168.2.1 56594 192.168.2.158 22 tcp ssh 8.841749 480 537 SF - - 0 ShAdDaFf 17 1376 14 1273 (empty) +1420590124.879760 C6pKV8GSxOnSLghOa 192.168.2.1 56821 192.168.2.158 22 tcp ssh 1.106250 820 1125 SF - - 0 ShAdDaFf 26 2184 20 2173 (empty) +1420590308.775525 CIPOse170MGiRM1Qf4 192.168.2.1 56837 192.168.2.158 22 tcp ssh 1.080767 692 997 SF - - 0 ShAdDaFf 25 2004 19 1993 (empty) +1420590322.673363 C7XEbhP654jzLoe3a 192.168.2.1 56845 192.168.2.158 22 tcp ssh 1.302395 660 965 SF - - 0 ShAdDaFf 26 2024 20 2013 (empty) +1420590636.473213 CJ3xTn1c4Zw9TmAE05 192.168.2.1 56875 192.168.2.158 22 tcp ssh 12.013506 588 549 SF - - 0 ShAdDaFf 19 1588 16 1389 (empty) +1420590659.422161 CMXxB5GvmoxJFXdTa 192.168.2.1 56878 192.168.2.158 22 tcp ssh 3.628964 684 825 SF - - 0 ShAdDaFf 25 1996 19 1821 (empty) +1420591379.650462 Caby8b1slFea8xwSmb 192.168.2.1 56940 192.168.2.158 22 tcp ssh 0.104978 500 609 SF - - 0 ShAdDaFf 14 1240 10 1137 (empty) +1420599430.822385 Che1bq3i2rO3KD1Syg 192.168.2.1 57831 192.168.2.158 22 tcp ssh 2.758790 576 813 SF - - 0 ShAdDaFf 23 1784 18 1757 (empty) +1420851448.309629 C3SfNE4BWaU4aSuwkc 192.168.2.1 59246 192.168.2.158 22 tcp ssh 2.046715 2421 3505 S1 - - 0 ShADad 18 3369 13 4189 (empty) +1420860616.400297 CwSkQu4eWZCH7OONC1 192.168.1.32 33910 128.2.13.133 22 tcp ssh 0.660753 3383 2645 S1 - - 0 ShADad 18 4327 16 3485 (empty) +1420860283.029061 CEle3f3zno26fFZkrh 192.168.1.32 41164 128.2.10.238 22 tcp ssh 7.498828 5479 2327 S1 - - 0 ShADad 21 6579 18 3271 (empty) +1420868281.639103 CfTOmO0HKorjr8Zp7 192.168.1.32 41268 128.2.10.238 22 tcp ssh 2.710778 5613 2487 SF - - 0 ShADadFf 24 6869 20 3535 (empty) +1420917487.213378 CzA03V1VcgagLjnO92 192.168.1.31 57621 192.168.1.255 57621 udp - - - - S0 - - 0 D 1 72 0 0 (empty) +1420917487.213468 CyAhVIzHqb7t7kv28 192.168.1.32 57621 192.168.1.31 57621 udp - - - - S0 - - 0 D 1 72 0 0 (empty) +1420917487.220407 Cab0vO1xNYSS2hJkle 192.168.1.31 52294 192.168.1.32 22 tcp ssh 2.807865 3169 1329 S1 - - 0 ShADad 19 4169 13 2013 (empty) +1421006072.431795 Cx3C534wEyF3OvvcQe 192.168.1.31 51476 192.168.1.32 8118 tcp - 0.000539 76 0 SF - - 0 DaFfA 6 388 5 284 (empty) +1421006072.001012 Cx2FqO23omNawSNrxj 192.168.1.31 51489 192.168.1.32 22 tcp ssh 2.408961 3469 1565 S1 - - 0 ShAdDa 25 4805 16 2421 (empty) +1421041176.944687 CkDsfG2YIeWJmXWNWj 192.168.1.32 58641 131.103.20.168 22 tcp ssh 0.587601 2885 2309 SF - - 0 ShADdaFf 16 3725 13 2993 (empty) +1421041299.738916 CUKS0W3HFYOnBqSE5e 192.168.1.32 58646 131.103.20.168 22 tcp ssh 0.538385 3517 3197 S1 - - 0 ShADad 18 4461 16 4037 (empty) +1421041526.312919 CRrfvP2lalMAYOCLhj 192.168.1.32 58649 131.103.20.168 22 tcp ssh 0.542213 3517 3197 S1 - - 0 ShADad 17 4409 16 4037 (empty) +#close 2016-03-07-21-31-43 diff --git a/testing/btest/scripts/base/protocols/ssh/basic.test b/testing/btest/scripts/base/protocols/ssh/basic.test index 30e726e1f5..dfa7eb0d49 100644 --- a/testing/btest/scripts/base/protocols/ssh/basic.test +++ b/testing/btest/scripts/base/protocols/ssh/basic.test @@ -1,4 +1,5 @@ # This tests some SSH connections and the output log. # @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT -# @TEST-EXEC: btest-diff ssh.log \ No newline at end of file +# @TEST-EXEC: btest-diff ssh.log +# @TEST-EXEC: btest-diff conn.log