mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
120 lines
No EOL
2.9 KiB
Text
120 lines
No EOL
2.9 KiB
Text
##! Implements base functionality for SSH analysis. Generates the ssh.log file.
|
|
|
|
# Generated by binpac_quickstart
|
|
|
|
module SSH;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Timestamp for when the event happened.
|
|
ts: time &log;
|
|
## Unique ID for the connection.
|
|
uid: string &log;
|
|
## The connection's 4-tuple of endpoint addresses/ports.
|
|
id: conn_id &log;
|
|
## The client's version string
|
|
client: string &log &optional;
|
|
## The server's version string
|
|
server: string &log &optional;
|
|
## The server's key fingerprint
|
|
host_key: string &log &optional;
|
|
## Auth result
|
|
result: string &log &optional;
|
|
## Auth method (password, pubkey, etc.)
|
|
method: string &log &optional;
|
|
};
|
|
|
|
## Event that can be handled to access the SSH record as it is sent on
|
|
## to the loggin framework.
|
|
global log_ssh: event(rec: Info);
|
|
}
|
|
|
|
redef record connection += {
|
|
ssh: Info &optional;
|
|
};
|
|
|
|
const ports = { 22/tcp };
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(SSH::LOG, [$columns=Info, $ev=log_ssh]);
|
|
Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, ports);
|
|
}
|
|
|
|
|
|
event ssh_server_version(c: connection, version: string)
|
|
{
|
|
if ( !c?$ssh )
|
|
{
|
|
local s: SSH::Info;
|
|
s$ts = network_time();
|
|
s$uid = c$uid;
|
|
s$id = c$id;
|
|
c$ssh = s;
|
|
}
|
|
c$ssh$server = version;
|
|
}
|
|
|
|
event ssh_client_version(c: connection, version: string)
|
|
{
|
|
if ( !c?$ssh )
|
|
{
|
|
local s: SSH::Info;
|
|
s$ts = network_time();
|
|
s$uid = c$uid;
|
|
s$id = c$id;
|
|
c$ssh = s;
|
|
}
|
|
c$ssh$client = version;
|
|
}
|
|
|
|
function determine_auth_method(middle_pkt_len: int, first_pkt_len: int): string
|
|
{
|
|
if ( middle_pkt_len == 96 )
|
|
return "password";
|
|
if ( ( middle_pkt_len == 32 ) && ( first_pkt_len == 0 || first_pkt_len == 48 ) )
|
|
return "challenge-response";
|
|
if ( ( first_pkt_len >= 112 ) && ( first_pkt_len <= 432 ) )
|
|
return "pubkey";
|
|
if ( first_pkt_len == 16 )
|
|
return "host-based";
|
|
return fmt("unknown (mid=%d, first=%d)", middle_pkt_len, first_pkt_len);
|
|
}
|
|
|
|
event ssh_auth_successful(c: connection, middle_pkt_len: int, first_pkt_len: int)
|
|
{
|
|
if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
|
|
return;
|
|
c$ssh$result = "success";
|
|
c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
|
|
Log::write(SSH::LOG, c$ssh);
|
|
}
|
|
|
|
event ssh_auth_failed(c: connection, middle_pkt_len: int, first_pkt_len: int)
|
|
{
|
|
if ( !c?$ssh || ( c$ssh?$result && c$ssh$result == "success" ) )
|
|
return;
|
|
c$ssh$result = "failure";
|
|
c$ssh$method = determine_auth_method(middle_pkt_len, first_pkt_len);
|
|
Log::write(SSH::LOG, c$ssh);
|
|
}
|
|
|
|
event connection_closed(c: connection)
|
|
{
|
|
if ( c?$ssh && !c$ssh?$result )
|
|
{
|
|
c$ssh$result = "unknown";
|
|
Log::write(SSH::LOG, c$ssh);
|
|
}
|
|
}
|
|
|
|
event ssh_server_host_key(c: connection, key: string)
|
|
{
|
|
if ( !c?$ssh )
|
|
return;
|
|
local lx = str_split(md5_hash(key), vector(2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30));
|
|
lx[0] = "";
|
|
c$ssh$host_key = sub(join_string_vec(lx, ":"), /:/, "");
|
|
} |