mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
daa9537f92
In 3769ed6c66 we added handling for SSH version 1.99 which unsed a SSH
version of 0 to indicate weird cases where no version could be
determined.
This patch is a fixup for that patch. Instead of using a magic version
of 0 we now use an `&optional` version value. If no SSH version can be
extracted the version will be unset; additionally a `conn_weird` event
will be raised.
Closes #1590.
117 lines
2.6 KiB
Text
117 lines
2.6 KiB
Text
# @TEST-EXEC: zeek -b %INPUT >output
|
|
# @TEST-EXEC: btest-diff output
|
|
|
|
@load base/bif/event.bif.zeek
|
|
@load base/protocols/ssh
|
|
|
|
module SSH;
|
|
|
|
# Creates a mock connection. This connection is good enough for e.g.,
|
|
# `SSH::set_version`, but not in line with what Zeek considers active
|
|
# connections.
|
|
function make_conn(server: string, client: string): connection
|
|
{
|
|
local c: connection;
|
|
c$uid = "uid";
|
|
|
|
local id: conn_id;
|
|
id$orig_h = 127.0.0.1;
|
|
id$resp_h = 127.0.0.1;
|
|
id$orig_p = 40/tcp;
|
|
id$resp_p = 40/tcp;
|
|
c$id = id;
|
|
|
|
local ssh: SSH::Info;
|
|
ssh$ts = network_time();
|
|
ssh$server = server;
|
|
ssh$client = client;
|
|
c$ssh = ssh;
|
|
|
|
SSH::set_session(c);
|
|
|
|
delete c$ssh$version;
|
|
return c;
|
|
}
|
|
|
|
# While `SSH::set_version` triggers a `conn_weird` we are dealing with mock
|
|
# connections which since they are injected are always considered expired by
|
|
# Zeek.
|
|
event expired_conn_weird(name: string, id: conn_id, uid: string, addl: string, source: string)
|
|
{
|
|
print "conn_weird:", name, id, addl, source;
|
|
}
|
|
|
|
const v1 = "SSH-1.5-OpenSSH_6.2";
|
|
const v199 = "SSH-1.99-OpenSSH_3.1p1";
|
|
const v2 = "SSH-2.0-OpenSSH_5.9";
|
|
|
|
event zeek_init()
|
|
{
|
|
local c: connection;
|
|
|
|
# Good cases.
|
|
{
|
|
# SSH1 vs SSH1 -> 1.
|
|
c = make_conn(v1, v1);
|
|
SSH::set_version(c);
|
|
print "SSH1 vs SSH1", c$ssh$version;
|
|
|
|
# SSH199 vs SSH1 -> 1.
|
|
c = make_conn(v1, v199);
|
|
SSH::set_version(c);
|
|
print "SSH199 vs SSH1", c$ssh$version; # 1.
|
|
|
|
# SSH2 vs SSH2 -> 2.
|
|
c = make_conn(v2, v2);
|
|
SSH::set_version(c);
|
|
print "SSH2 vs SSH2", c$ssh$version; # 2.
|
|
|
|
# SSH199 vs SSH2 -> 2.
|
|
c = make_conn(v2, v199);
|
|
SSH::set_version(c);
|
|
print "SSH199 vs SSH2", c$ssh$version; # 2.
|
|
}
|
|
|
|
# Error cases.
|
|
{
|
|
# Unset vs unset -> unset.
|
|
c = make_conn("", "");
|
|
c$ssh$version = 42;
|
|
SSH::set_version(c);
|
|
print "unset vs unset", c$ssh?$version; # Unset.
|
|
|
|
# Client unset.
|
|
c = make_conn(v2, "");
|
|
c$ssh$version = 42;
|
|
SSH::set_version(c);
|
|
print "client unset", c$ssh?$version; # Unset.
|
|
|
|
# Server unset.
|
|
c = make_conn("", v2);
|
|
c$ssh$version = 42;
|
|
SSH::set_version(c);
|
|
print "server unset", c$ssh?$version; # Unset.
|
|
|
|
# Unable to extract full server version.
|
|
c = make_conn("SSH", v1);
|
|
c$ssh$version = 42;
|
|
SSH::set_version(c);
|
|
print "incomplete server version", c$ssh?$version;
|
|
|
|
# Unable to extract full client version.
|
|
c = make_conn(v1, "SSH");
|
|
c$ssh$version = 42;
|
|
SSH::set_version(c);
|
|
print "incomplete client version", c$ssh?$version;
|
|
|
|
# SSH1 vs SSH2.
|
|
c = make_conn(v1, v2);
|
|
SSH::set_version(c);
|
|
print "SSH1 vs SSH2", c$ssh?$version; # Unset.
|
|
|
|
# SSH2 vs SSH1.
|
|
c = make_conn(v2, v1);
|
|
SSH::set_version(c);
|
|
print "SSH2 vs SSH1", c$ssh?$version; # Unset.
|
|
}
|
|
}
|