Merge branch 'patch-4' of https://github.com/aeppert/bro

* 'patch-4' of https://github.com/aeppert/bro:
  (BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection"

I also removed the old disable_analyzer_after_detection option
completely - if someone wants that, they can just catch the event
themselves and call skip_further_processing.

I also adjusted the ssh test case to contain conn.log to prevent
re-addition of this problem in the future.

BIT-1545 #merged

CHANGES

@@ -1,4 +1,12 @@
 
+2.4-307 | 2016-03-07 13:33:45 -0800
+
+  * Add "disable_analyzer_after_detection" and remove
+    "skip_processing_after_detection". Addresses BIT-1545.
+    (Aaron Eppert & Johanna Amann)
+
+  * Add bad_HTTP_request_with_version weird (William Glodek)
+
 2.4-299 | 2016-03-04 12:51:55 -0800
 
   * More detailed installation instructions for FreeBSD 9.X. (Johanna Amann)

NEWS

@@ -51,6 +51,9 @@ New Functionality
 Changed Functionality
 ---------------------
 
+- ``SSH::skip_processing_after_detection`` was removed. The functionality was
+  replaced by ``SSH::disable_analyzer_after_detection``.
+
 - Some script-level identifier have changed their names:
 
       snaplen                  -> Pcap::snaplen

VERSION

@@ -1 +1 @@
-2.4-299
+2.4-307

scripts/base/protocols/ssh/main.bro

@@ -46,11 +46,10 @@ export {
 	## authentication success or failure when compression is enabled.
 	const compression_algorithms = set("zlib", "zlib@openssh.com") &redef;
 
-	## If true, we tell the event engine to not look at further data
+	## If true, after detection detach the SSH analyzer from the connection
-	## packets after the initial SSH handshake. Helps with performance
+	## to prevent continuing to process encrypted traffic. Helps with performance
-	## (especially with large file transfers) but precludes some
+	## (especially with large file transfers).
-	## kinds of analyses. Defaults to T.
+	const disable_analyzer_after_detection = T &redef;
-	const skip_processing_after_detection = T &redef;
 
 	## Event that can be handled to access the SSH record as it is sent on
 	## to the logging framework.
@@ -70,6 +69,8 @@ redef record Info += {
 	# Store capabilities from the first host for
 	# comparison with the second (internal use)
 	capabilities: Capabilities &optional;
+	## Analzyer ID
+	analyzer_id: count         &optional;
 };
 
 redef record connection += {
@@ -130,11 +131,8 @@ event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=5
 
 	c$ssh$auth_success = T;
 
-	if ( skip_processing_after_detection)
+	if ( disable_analyzer_after_detection )
-		{
+		disable_analyzer(c$id, c$ssh$analyzer_id);
-		skip_further_processing(c$id);
-		set_record_packets(c$id, F);
-		}
 	}
 
 event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=-5
@@ -233,3 +231,12 @@ event ssh2_server_host_key(c: connection, key: string) &priority=5
 	{
 	generate_fingerprint(c, key);
 	}
+
+event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+	{
+		if ( atype == Analyzer::ANALYZER_SSH )
+		{
+		set_session(c);
+		c$ssh$analyzer_id = aid;
+		}
+	}

testing/btest/Baseline/scripts.base.protocols.ssh.basic/conn.log

@@ -0,0 +1,34 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2016-03-07-21-31-43
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1324071333.493287	CXWv6p3arKYeMETxOg	192.168.1.79	51880	131.159.21.1	22	tcp	ssh	6.159326	2669	2501	SF	-	-	0	ShAdDaFf	25	3981	20	3549	(empty)
+1409516196.337184	CjhGID4nQcgTWjvg4c	10.0.0.18	40184	128.2.6.88	41644	tcp	ssh	0.392307	3205	2129	S1	-	-	0	ShADad	12	3837	12	2761	(empty)
+1419870206.101883	CsRx2w45OKnoww6xl4	192.168.2.1	57191	192.168.2.158	22	tcp	ssh	3.862198	576	813	SF	-	-	0	ShAdDaFf	23	1784	16	1653	(empty)
+1419870189.485611	CCvvfg3TEfuqmmG4bh	192.168.2.1	57189	192.168.2.158	22	tcp	ssh	5.267866	4601	2805	S1	-	-	0	ShADad	22	5757	18	3749	(empty)
+1419996264.318569	CRJuHdVW0XPVINV8a	192.168.2.1	55179	192.168.2.158	2200	tcp	ssh	1.124642	1909	1161	S1	-	-	0	ShADad	16	2753	12	1793	(empty)
+1420588548.721272	CPbrpk1qSsw6ESzHV4	192.168.2.1	56594	192.168.2.158	22	tcp	ssh	8.841749	480	537	SF	-	-	0	ShAdDaFf	17	1376	14	1273	(empty)
+1420590124.879760	C6pKV8GSxOnSLghOa	192.168.2.1	56821	192.168.2.158	22	tcp	ssh	1.106250	820	1125	SF	-	-	0	ShAdDaFf	26	2184	20	2173	(empty)
+1420590308.775525	CIPOse170MGiRM1Qf4	192.168.2.1	56837	192.168.2.158	22	tcp	ssh	1.080767	692	997	SF	-	-	0	ShAdDaFf	25	2004	19	1993	(empty)
+1420590322.673363	C7XEbhP654jzLoe3a	192.168.2.1	56845	192.168.2.158	22	tcp	ssh	1.302395	660	965	SF	-	-	0	ShAdDaFf	26	2024	20	2013	(empty)
+1420590636.473213	CJ3xTn1c4Zw9TmAE05	192.168.2.1	56875	192.168.2.158	22	tcp	ssh	12.013506	588	549	SF	-	-	0	ShAdDaFf	19	1588	16	1389	(empty)
+1420590659.422161	CMXxB5GvmoxJFXdTa	192.168.2.1	56878	192.168.2.158	22	tcp	ssh	3.628964	684	825	SF	-	-	0	ShAdDaFf	25	1996	19	1821	(empty)
+1420591379.650462	Caby8b1slFea8xwSmb	192.168.2.1	56940	192.168.2.158	22	tcp	ssh	0.104978	500	609	SF	-	-	0	ShAdDaFf	14	1240	10	1137	(empty)
+1420599430.822385	Che1bq3i2rO3KD1Syg	192.168.2.1	57831	192.168.2.158	22	tcp	ssh	2.758790	576	813	SF	-	-	0	ShAdDaFf	23	1784	18	1757	(empty)
+1420851448.309629	C3SfNE4BWaU4aSuwkc	192.168.2.1	59246	192.168.2.158	22	tcp	ssh	2.046715	2421	3505	S1	-	-	0	ShADad	18	3369	13	4189	(empty)
+1420860616.400297	CwSkQu4eWZCH7OONC1	192.168.1.32	33910	128.2.13.133	22	tcp	ssh	0.660753	3383	2645	S1	-	-	0	ShADad	18	4327	16	3485	(empty)
+1420860283.029061	CEle3f3zno26fFZkrh	192.168.1.32	41164	128.2.10.238	22	tcp	ssh	7.498828	5479	2327	S1	-	-	0	ShADad	21	6579	18	3271	(empty)
+1420868281.639103	CfTOmO0HKorjr8Zp7	192.168.1.32	41268	128.2.10.238	22	tcp	ssh	2.710778	5613	2487	SF	-	-	0	ShADadFf	24	6869	20	3535	(empty)
+1420917487.213378	CzA03V1VcgagLjnO92	192.168.1.31	57621	192.168.1.255	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1420917487.213468	CyAhVIzHqb7t7kv28	192.168.1.32	57621	192.168.1.31	57621	udp	-	-	-	-	S0	-	-	0	D	1	72	0	0	(empty)
+1420917487.220407	Cab0vO1xNYSS2hJkle	192.168.1.31	52294	192.168.1.32	22	tcp	ssh	2.807865	3169	1329	S1	-	-	0	ShADad	19	4169	13	2013	(empty)
+1421006072.431795	Cx3C534wEyF3OvvcQe	192.168.1.31	51476	192.168.1.32	8118	tcp	-	0.000539	76	0	SF	-	-	0	DaFfA	6	388	5	284	(empty)
+1421006072.001012	Cx2FqO23omNawSNrxj	192.168.1.31	51489	192.168.1.32	22	tcp	ssh	2.408961	3469	1565	S1	-	-	0	ShAdDa	25	4805	16	2421	(empty)
+1421041176.944687	CkDsfG2YIeWJmXWNWj	192.168.1.32	58641	131.103.20.168	22	tcp	ssh	0.587601	2885	2309	SF	-	-	0	ShADdaFf	16	3725	13	2993	(empty)
+1421041299.738916	CUKS0W3HFYOnBqSE5e	192.168.1.32	58646	131.103.20.168	22	tcp	ssh	0.538385	3517	3197	S1	-	-	0	ShADad	18	4461	16	4037	(empty)
+1421041526.312919	CRrfvP2lalMAYOCLhj	192.168.1.32	58649	131.103.20.168	22	tcp	ssh	0.542213	3517	3197	S1	-	-	0	ShADad	17	4409	16	4037	(empty)
+#close	2016-03-07-21-31-43

testing/btest/scripts/base/protocols/ssh/basic.test

@@ -2,3 +2,4 @@
 
 # @TEST-EXEC: bro -r $TRACES/ssh/ssh.trace %INPUT
 # @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff conn.log