Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-17 05:58:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Move lookup_addr when statement

Browse source 
Move the when statement to a function so that the connection record is
not in scope. Cloning a connection record is an expensive operation and
this avoids it and this avoids it.
This commit is contained in:
Justin Azoff 2016-08-17 10:41:41 -04:00
parent eebd896f63
commit f9b3f739e4
1 changed files with 16 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

17
scripts/policy/protocols/ssh/interesting-hostnames.bro
View file

@ -27,9 +27,7 @@ export {
/^ftp[0-9]*\./ &redef; /^ftp[0-9]*\./ &redef;
} }
event ssh_auth_successful(c: connection, auth_method_none: bool) function check_ssh_hostname(id: conn_id, host: addr)
{
for ( host in set(c$id$orig_h, c$id$resp_h) )
{ {
when ( local hostname = lookup_addr(host) ) when ( local hostname = lookup_addr(host) )
{ {
@ -38,10 +36,17 @@ event ssh_auth_successful(c: connection, auth_method_none: bool)
NOTICE([$note=Interesting_Hostname_Login, NOTICE([$note=Interesting_Hostname_Login,
$msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.", $msg=fmt("Possible SSH login involving a %s %s with an interesting hostname.",
Site::is_local_addr(host) ? "local" : "remote", Site::is_local_addr(host) ? "local" : "remote",
host == c$id$orig_h ? "client" : "server"), host == id$orig_h ? "client" : "server"),
$sub=hostname, $conn=c]); $sub=hostname, $id=id]);
}
} }
} }
} }
event ssh_auth_successful(c: connection, auth_method_none: bool)
{
for ( host in set(c$id$orig_h, c$id$resp_h) )
{
check_ssh_hostname(c$id, host);
}
}