##! Implements base functionality for SSH analysis. Generates the ssh.log file.

# Generated by binpac_quickstart

module SSH;

export {
	redef enum Log::ID += { LOG };

	type Info: record {
		## Timestamp for when the event happened.
		ts:     time    &log;
		## Unique ID for the connection.
		uid:    string  &log;
		## The connection's 4-tuple of endpoint addresses/ports.
		id:     conn_id &log;
		## The client's version string
		client: string &log &optional;
		## The server's version string
		server: string &log &optional;
		## Auth result
		result: string &log &optional;
		## Auth method
		method: string &log &optional;
	};

	## Event that can be handled to access the SSH record as it is sent on
	## to the loggin framework.
	global log_ssh: event(rec: Info);
}

redef record connection += {
	ssh: Info &optional;
};

const ports = { 22/tcp };

event bro_init() &priority=5
	{
	Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
	Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
	}


event ssh_version(c: connection, is_orig: bool, version: string)
	{
	if ( !c?$ssh )
		{
		local s: SSH::Info;
		s$ts  = network_time();
		s$uid = c$uid;
		s$id  = c$id;
		c$ssh = s;
		}
	if ( is_orig )
		c$ssh$client = version;
	else
		c$ssh$server = version;
#	print c$ssh;
	}

event ssh_auth_successful(c: connection, method: string)
	{
	if ( !c?$ssh )
		return;
	c$ssh$result = "success";
	c$ssh$method = method;
	Log::write(SSH::LOG, c$ssh);
	}

event ssh_auth_failed(c: connection, method: string)
	{
	if ( !c?$ssh )
		return;
	c$ssh$result = "failure";
	c$ssh$method = method;
	Log::write(SSH::LOG, c$ssh);
	}

event connection_closed(c: connection)
	{
	if ( c?$ssh && !c$ssh?$result )
		{
		c$ssh$result = "unknown";
		c$ssh$method = "unknown";
		Log::write(SSH::LOG, c$ssh);
		}
	}