mirror of
https://github.com/zeek/zeek.git
synced 2025-10-05 08:08:19 +00:00
Merge branch 'patch-4' of https://github.com/aeppert/bro
* 'patch-4' of https://github.com/aeppert/bro: (BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection" I also removed the old disable_analyzer_after_detection option completely - if someone wants that, they can just catch the event themselves and call skip_further_processing. I also adjusted the ssh test case to contain conn.log to prevent re-addition of this problem in the future. BIT-1545 #merged
This commit is contained in:
Johanna Amann
commit
f89874b9e9
6 changed files with 66 additions and 13 deletions
|
|
@ -46,11 +46,10 @@ export {
|
|||
## authentication success or failure when compression is enabled.
|
||||
const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
|
||||
|
||||
## If true, we tell the event engine to not look at further data
|
||||
## packets after the initial SSH handshake. Helps with performance
|
||||
## (especially with large file transfers) but precludes some
|
||||
## kinds of analyses. Defaults to T.
|
||||
const skip_processing_after_detection = T &redef;
|
||||
## If true, after detection detach the SSH analyzer from the connection
|
||||
## to prevent continuing to process encrypted traffic. Helps with performance
|
||||
## (especially with large file transfers).
|
||||
const disable_analyzer_after_detection = T &redef;
|
||||
|
||||
## Event that can be handled to access the SSH record as it is sent on
|
||||
## to the logging framework.
|
||||
|
|
@ -70,6 +69,8 @@ redef record Info += {
|
|||
# Store capabilities from the first host for
|
||||
# comparison with the second (internal use)
|
||||
capabilities: Capabilities &optional;
|
||||
## Analzyer ID
|
||||
analyzer_id: count &optional;
|
||||
};
|
||||
|
||||
redef record connection += {
|
||||
|
|
@ -130,11 +131,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
|
|||
|
||||
c$ssh$auth_success = T;
|
||||
|
||||
if ( skip_processing_after_detection)
|
||||
{
|
||||
skip_further_processing(c$id);
|
||||
set_record_packets(c$id, F);
|
||||
}
|
||||
if ( disable_analyzer_after_detection )
|
||||
disable_analyzer(c$id, c$ssh$analyzer_id);
|
||||
}
|
||||
|
||||
event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
|
||||
|
|
@ -179,7 +177,7 @@ function find_bidirectional_alg(client_prefs: Algorithm_Prefs, server_prefs: Alg
|
|||
# Usually these are the same, but if they're not, return the details
|
||||
return c_to_s == s_to_c ? c_to_s : fmt("To server: %s, to client: %s", c_to_s, s_to_c);
|
||||
}
|
||||
|
||||
|
||||
event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities)
|
||||
{
|
||||
if ( !c?$ssh || ( c$ssh?$capabilities && c$ssh$capabilities$is_server == capabilities$is_server ) )
|
||||
|
|
@ -233,3 +231,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
|
|||
{
|
||||
generate_fingerprint(c, key);
|
||||
}
|
||||
|
||||
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
|
||||
{
|
||||
if ( atype == Analyzer::ANALYZER_SSH )
|
||||
{
|
||||
set_session(c);
|
||||
c$ssh$analyzer_id = aid;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue