mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
8ce746cc25
* origin/topic/vladg/bit-1641: Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641. Clean up the logic for ssh_auth_failed. Addresses BIT-1641 Update baselines for adding a field to ssh.log as part of BIT-1641 Script-land changes for BIT-1641. Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641. Revert "Fixing duplicate SSH authentication failure events." Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641. I extended the tests a bit and did some small cleanups. I also moved the SSH events back to the global namespace for backwards compatibility and for consistency (the way it was at the moment, some of them were global some SSH::). Furthermore, I fixed the ssh_auth_result result event, it was only raised in the success case. ssh_auth_result is now also checked in the testcases. I also have a suspicion that the intel integration never really worked before. BIT-1641 #merged
17 lines
424 B
Text
17 lines
424 B
Text
# @TEST-EXEC: bro -C -r $TRACES/ssh/sshguess.pcap %INPUT | sort >output
|
|
# @TEST-EXEC: btest-diff output
|
|
|
|
event ssh_auth_attempted(c: connection, authenticated: bool)
|
|
{
|
|
print "auth_attempted", c$uid, authenticated;
|
|
}
|
|
|
|
event ssh_auth_failed(c: connection)
|
|
{
|
|
print "auth_failed", c$uid;
|
|
}
|
|
|
|
event ssh_auth_result(c: connection, result: bool, auth_attempts: count)
|
|
{
|
|
print "auth_result", c$uid, result, auth_attempts;
|
|
}
|