Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/base/protocols/ssh
History
Arne Welzel 187096d4a4 ssh: Test for c$ssh$analyzer_id existence 
While unusual, analyzer_confirmation() may never be called for the
SSH analyzer, but still ssh_auth_attempted is invoked later indicating
successful authentication. I haven't checked how that is actually possible,
but seems prudent to check for the existence of c$ssh$analyzer_id before
referencing it (also in light of runtime enable/disabling of events).

This was found testing Tim's all-the-fuzzing branch on large system,
merging this should avoid oss-fuzz telling us about it.

    $ zeek -C -r ./e83db.pcap 'DPD::ignore_violations+={ Analyzer::ANALYZER_SSH }'
    1668610572.429058 expression error in scripts/base/protocols/ssh/./main.zeek, line 260: field value missing (SSH::c$ssh$analyzer_id)
2022-11-16 16:35:57 +01:00
..
__load__.zeek Rename all scripts to have ".zeek" file extension 2019-04-11 21:12:40 -05:00
dpd.sig Refactored the SSH analyzer. Added supported for algorithm detection and more key exchange message types. 2015-01-13 12:02:31 -05:00
main.zeek ssh: Test for c$ssh$analyzer_id existence 2022-11-16 16:35:57 +01:00
README Add missing documentation on the "Bro Package Index" page 2015-06-02 10:00:00 -05:00

README 

Support for SSH protocol analysis.