Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
9240 commits 386 branches 195 tags 256 MiB
Commit graph

9 commits

Author SHA1 Message Date
Jon Siwek
30da2f83d0 GH-566: fix cases where ssh_encrypted_packet event wasn't raised 
When encrypted data was bundled within the same segment as the NewKeys
message, it wasn't not reported via a ssh_encrypted_package event as
it should have been.
 2019-09-03 17:34:24 -07:00
Robin Sommer
789cb376fd GH-239: Rename bro to zeek, bro-config to zeek-config, and bro-path-dev to zeek-path-dev. 
This also installs symlinks from "zeek" and "bro-config" to a wrapper
script that prints a deprecation warning.

The btests pass, but this is still WIP. broctl renaming is still
missing.

#239
 2019-05-01 21:43:45 +00:00
Vlad Grigorescu
d7fbaad024 Add btest for new SSH curve25519 KEX 2017-10-05 14:36:13 -05:00
Johanna Amann
8ce746cc25 Merge remote-tracking branch 'origin/topic/vladg/bit-1641' 
* origin/topic/vladg/bit-1641:
  Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641.
  Clean up the logic for ssh_auth_failed. Addresses BIT-1641
  Update baselines for adding a field to ssh.log as part of BIT-1641
  Script-land changes for BIT-1641.
  Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641.
  Revert "Fixing duplicate SSH authentication failure events."
  Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641.

I extended the tests a bit and did some small cleanups. I also moved the
SSH events back to the global namespace for backwards compatibility and
for consistency (the way it was at the moment, some of them were global
some SSH::).

Furthermore, I fixed the ssh_auth_result result event, it was only
raised in the success case. ssh_auth_result is now also checked in the
testcases. I also have a suspicion that the intel integration never
really worked before.

BIT-1641 #merged
 2016-10-18 21:57:27 -04:00
Vlad Grigorescu
70aaffbaac Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641. 2016-10-14 09:14:22 -05:00
Johanna Amann
bac1bd5bdf Merge remote-tracking branch 'origin/topic/robin/bit-1641' 
* origin/topic/robin/bit-1641:
  Fixing duplicate SSH authentication failure events.

I changed the test slightly; the output of uniq is not stable between
operating systems (on OS-X, it emits a space, on Linux it apparently
emits a tab). I removed the call to uniq - sort by itself is enough to
create a difference if there are duplicate entries.

Addresses BIT-1641
 2016-08-02 15:28:31 -07:00
Robin Sommer
176d9f23be Fixing duplicate SSH authentication failure events. 
We now do not raise more than one failure event per connection.

Addresses BIT-1641.
 2016-08-01 12:42:03 -07:00
Johanna Amann
f89874b9e9 Merge branch 'patch-4' of https://github.com/aeppert/bro 
* 'patch-4' of https://github.com/aeppert/bro:
  (BIT-1545) Add "disable_analyzer_after_detection" en lieu of "skip_processing_after_detection"

I also removed the old disable_analyzer_after_detection option
completely - if someone wants that, they can just catch the event
themselves and call skip_further_processing.

I also adjusted the ssh test case to contain conn.log to prevent
re-addition of this problem in the future.

BIT-1545 #merged
 2016-03-07 13:39:28 -08:00
Vlad Grigorescu
be6188bf00 SSH: Update baselines 2015-03-18 13:02:33 -04:00