mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
45 lines
1.3 KiB
Text
45 lines
1.3 KiB
Text
@load stepping
|
|
|
|
redef capture_filters += { ["ssh-stepping"] = "tcp port 22" };
|
|
|
|
module SSH_Stepping;
|
|
|
|
# Keeps track of how many connections each source is responsible for.
|
|
global ssh_src_cnt: table[addr] of count &default=0 &write_expire=15sec;
|
|
|
|
export {
|
|
# Threshold above which we stop analyzing a source.
|
|
# Use 0 to never stop.
|
|
global src_fanout_no_stp_analysis_thresh = 100 &redef;
|
|
}
|
|
|
|
event connection_established(c: connection)
|
|
{
|
|
if ( c$id$resp_p == ssh )
|
|
{
|
|
# No point recording these, and they're potentially huge
|
|
# due to use of ssh for file transfers.
|
|
set_record_packets(c$id, F);
|
|
|
|
# Keep track of sources that create lots of connections
|
|
# so we can skip analyzing them - they're very likely
|
|
# uninteresting for stepping stones, and can present
|
|
# a large state burden.
|
|
local src = c$id$orig_h;
|
|
if ( ++ssh_src_cnt[src] == src_fanout_no_stp_analysis_thresh )
|
|
add stp_skip_src[src];
|
|
|
|
if ( ssh_src_cnt[src] == 1 )
|
|
# First entry. It's possible this entry was set
|
|
# before and has now expired. If so, stop skipping it.
|
|
delete stp_skip_src[src];
|
|
}
|
|
}
|
|
|
|
event partial_connection(c: connection)
|
|
{
|
|
if ( c$id$orig_p == ssh || c$id$resp_p == ssh )
|
|
# No point recording these, and they're potentially huge
|
|
# due to use of ssh for file transfers.
|
|
set_record_packets(c$id, F);
|
|
}
|