ssh_auth_attempted sets some requisite fields that ssh_auth_successful
relies on. ssh_auth_attempted wasn't getting called because of a logic
error.
For a more complete discussion of this issue, see:
https://github.com/bro/bro/issues/192
The ssh_capabilities event includes the capabilities reported
by either the server or the client. The record also includes a field,
is_server, so that scripts can determine which endpoint is reporting
its capabilities. That field was being set incorrectly (it was being
set as is_client rather than is_server, so it needed to be negated).
This simple bug had some larger repercussions. RFC 4253 provides a
method for client and server to agree on algorithms used in the SSH
connection. Bro was calculating these incorrectly. Some of these, such
as the encryption algorithm, are also used to determine whether or not
Bro should attempt to detect successful versus failed
authentications. In some cases, Bro would get this wrong, and make a
guess when it could not correctly determine the authentication outcome.
This commit marks (hopefully) ever one-parameter constructor as explicit.
It also uses override in (hopefully) all circumstances where a virtual
method is overridden.
There are a very few other minor changes - most of them were necessary
to get everything to compile (like one additional constructor). In one
case I changed an implicit operation to an explicit string conversion -
I think the automatically chosen conversion was much more convoluted.
This took longer than I want to admit but not as long as I feared :)
From the OpenSSH 7.4 changelog:
sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method named
"curve25519-sha256@libssh.org".
I replaced a few strcmps with either calls to std::str.compare
or with the == operator of BroString.
Also changed two of the input framework tests that did not pass
anymore after the merge. The new SSH analyzer no longer loads the
scripts that let network time run, hence those tests failed because
updates were not propagated from the threads (that took a while
to find.)
* origin/topic/vladg/ssh: (25 commits)
SSH: Register analyzer for 22/tcp.
SSH: Add 22/tcp to likely_server_ports
SSH: Ignore encrypted packets by default.
SSH: Fix some edge-cases which created BinPAC exceptions
SSH: Add memleak btest
SSH: Update baselines
SSH: Added some more events for SSH2
SSH: Intel framework integration (PUBKEY_HASH)
Update baselines for new SSH analyzer.
Update SSH policy scripts with new events.
SSH: Add documentation
Refactoring ssh-protocol.pac:
SSH: Use the compression_algorithms const in another place.
Some cleanup and refactoring on SSH main.bro.
SSH: A bit of code cleanup.
Move SSH constants to consts.pac
SSH: Cleanup code style.
SSH: Fix some memleaks.
Refactored the SSH analyzer. Added supported for algorithm detection and more key exchange message types.
Add host key support for SSH1.
Add support for SSH1
Move SSH analyzer to new plugin architecture.
...
Conflicts:
scripts/base/protocols/ssh/main.bro
testing/btest/Baseline/core.print-bpf-filters/output2
testing/btest/Baseline/plugins.hooks/output
BIT-1344: #merged
