##! Implements base functionality for SSH analysis. Generates the ssh.log file.

# Generated by binpac_quickstart

module SSH;

export {
	redef enum Log::ID += { LOG };

	type Info: record {
		## Timestamp for when the event happened.
		ts:     time    &log;
		## Unique ID for the connection.
		uid:    string  &log;
		## The connection's 4-tuple of endpoint addresses/ports.
		id:     conn_id &log;
		## The client's version string
		client: string &log &optional;
		## The server's version string
		server: string &log &optional;
		## The server's key fingerprint
		host_key: string &log &optional;
		## Auth result
		result: string &log &optional;
		## Auth method
		method: string &log &optional;
	};

	## Event that can be handled to access the SSH record as it is sent on
	## to the loggin framework.
	global log_ssh: event(rec: Info);
}

redef record connection += {
	ssh: Info &optional;
};

const ports = { 22/tcp };

event bro_init() &priority=5
	{
	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
	}


event ssh_server_version(c: connection, version: string)
	{
	if ( !c?$ssh )
		{
		local s: SSH::Info;
		s$ts  = network_time();
		s$uid = c$uid;
		s$id  = c$id;
		c$ssh = s;
		}
	c$ssh$server = version;
	}

event ssh_client_version(c: connection, version: string)
	{
	if ( !c?$ssh )
		{
		local s: SSH::Info;
		s$ts  = network_time();
		s$uid = c$uid;
		s$id  = c$id;
		c$ssh = s;
		}
	c$ssh$client = version;
	}

event ssh_auth_successful(c: connection, method: string)
	{
	if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
		return;
	c$ssh$result = "success";
	c$ssh$method = method;
	Log::write(SSH::LOG, c$ssh);
	}

event ssh_auth_failed(c: connection, method: string)
	{
	if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
		return;
	c$ssh$result = "failure";
	c$ssh$method = method;
	Log::write(SSH::LOG, c$ssh);
	}

event connection_closed(c: connection)
	{
	if ( c?$ssh && !c$ssh?$result )
		{
		c$ssh$result = "unknown";
		c$ssh$method = "unknown";
		Log::write(SSH::LOG, c$ssh);
		}
	}

event ssh_server_host_key(c: connection, key: string)
	{
	if ( !c?$ssh )
		return;
	local lx = str_split(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30));
	lx[0] = "";
	c$ssh$host_key = sub(join_string_vec(lx, ":"), /:/, "");
	}