mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 07:08:19 +00:00
8ce746cc25
* origin/topic/vladg/bit-1641: Logic fix for ssh/main.bro when the auth status is indeterminate, and fix a test. Addresses BIT-1641. Clean up the logic for ssh_auth_failed. Addresses BIT-1641 Update baselines for adding a field to ssh.log as part of BIT-1641 Script-land changes for BIT-1641. Change SSH.cc to use ssh_auth_attempted instead of ssh_auth_failed. Addresses BIT-1641. Revert "Fixing duplicate SSH authentication failure events." Create new SSH events ssh_auth_attempt and ssh_auth_result. Add auth_attempts to SSH::Info. Address BIT-1641. I extended the tests a bit and did some small cleanups. I also moved the SSH events back to the global namespace for backwards compatibility and for consistency (the way it was at the moment, some of them were global some SSH::). Furthermore, I fixed the ssh_auth_result result event, it was only raised in the success case. ssh_auth_result is now also checked in the testcases. I also have a suspicion that the intel integration never really worked before. BIT-1641 #merged
12 lines
295 B
Text
12 lines
295 B
Text
@load base/frameworks/intel
|
|
@load base/protocols/ssh
|
|
@load ./where-locations
|
|
|
|
event ssh_server_host_key(c: connection, hash: string)
|
|
{
|
|
local seen = Intel::Seen($indicator=hash,
|
|
$indicator_type=Intel::PUBKEY_HASH,
|
|
$conn=c,
|
|
$where=SSH::IN_SERVER_HOST_KEY);
|
|
Intel::seen(seen);
|
|
}
|