mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
aebcb1415d
* All "Broxygen" usages have been replaced in code, documentation, filenames, etc. * Sphinx roles/directives like ":bro:see" are now ":zeek:see" * The "--broxygen" command-line option is now "--zeexygen"
58 lines
1.5 KiB
Text
58 lines
1.5 KiB
Text
##! Geodata based detections for SSH analysis.
|
|
|
|
@load base/frameworks/notice
|
|
@load base/protocols/ssh
|
|
|
|
module SSH;
|
|
|
|
export {
|
|
redef enum Notice::Type += {
|
|
## If an SSH login is seen to or from a "watched" country based
|
|
## on the :zeek:id:`SSH::watched_countries` variable then this
|
|
## notice will be generated.
|
|
Watched_Country_Login,
|
|
};
|
|
|
|
redef record Info += {
|
|
## Add geographic data related to the "remote" host of the
|
|
## connection.
|
|
remote_location: geo_location &log &optional;
|
|
};
|
|
|
|
## The set of countries for which you'd like to generate notices upon
|
|
## successful login.
|
|
option watched_countries: set[string] = {"RO"};
|
|
}
|
|
|
|
function get_location(c: connection): geo_location
|
|
{
|
|
local lookup_ip = (c$ssh$direction == OUTBOUND) ? c$id$resp_h : c$id$orig_h;
|
|
return lookup_location(lookup_ip);
|
|
}
|
|
|
|
event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
|
|
{
|
|
if ( ! c$ssh?$direction )
|
|
return;
|
|
|
|
if ( ! c$ssh?$remote_location )
|
|
return;
|
|
|
|
if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
|
|
{
|
|
NOTICE([$note=Watched_Country_Login,
|
|
$conn=c,
|
|
$msg=fmt("SSH login %s watched country: %s",
|
|
(c$ssh$direction == OUTBOUND) ? "to" : "from",
|
|
c$ssh$remote_location$country_code)]);
|
|
}
|
|
}
|
|
|
|
event ssh_auth_attempted(c: connection, authenticated: bool) &priority=3
|
|
{
|
|
if ( ! c$ssh?$direction )
|
|
return;
|
|
|
|
# Add the location data to the SSH record.
|
|
c$ssh$remote_location = get_location(c);
|
|
}
|