Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 19:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/scripts/base/bif/plugins/Bro_SSH.events.bif.bro.rst
Jon Siwek 7e9d48f532 Remove broxygen Sphinx integration 
The broxygen-generated files now live in the git repo, have tests
that check that they are up-to-date, and a script to re-generate
them on-demand.
2018-12-18 10:15:22 -06:00

330 lines
13 KiB
ReStructuredText
Raw Blame History

:tocdepth: 3
base/bif/plugins/Bro_SSH.events.bif.bro
=======================================
.. bro:namespace:: GLOBAL
:Namespace: GLOBAL
Summary
~~~~~~~
Events
######
================================================== ==================================================================
:bro:id:`ssh1_server_host_key`: :bro:type:`event` During the :abbr:`SSH (Secure Shell)` key exchange, the server
supplies its public host key.
:bro:id:`ssh2_dh_server_params`: :bro:type:`event` Generated if the connection uses a Diffie-Hellman Group Exchange
key exchange method.
:bro:id:`ssh2_ecc_key`: :bro:type:`event` The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
:abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
algorithms use two ephemeral key pairs to generate a shared
secret.
:bro:id:`ssh2_gss_error`: :bro:type:`event` In the event of a GSS-API error on the server, the server MAY send
send an error message with some additional details.
:bro:id:`ssh2_server_host_key`: :bro:type:`event` During the :abbr:`SSH (Secure Shell)` key exchange, the server
supplies its public host key.
:bro:id:`ssh_auth_attempted`: :bro:type:`event` This event is generated when an :abbr:`SSH (Secure Shell)`
connection was determined to have had an authentication attempt.
:bro:id:`ssh_auth_successful`: :bro:type:`event` This event is generated when an :abbr:`SSH (Secure Shell)`
connection was determined to have had a successful
authentication.
:bro:id:`ssh_capabilities`: :bro:type:`event` During the initial :abbr:`SSH (Secure Shell)` key exchange, each
endpoint lists the algorithms that it supports, in order of
preference.
:bro:id:`ssh_client_version`: :bro:type:`event` An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
from the client.
:bro:id:`ssh_encrypted_packet`: :bro:type:`event` This event is generated when an :abbr:`SSH (Secure Shell)`
encrypted packet is seen.
:bro:id:`ssh_server_version`: :bro:type:`event` An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
from the server.
================================================== ==================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Events
######
.. bro:id:: ssh1_server_host_key
:Type: :bro:type:`event` (c: :bro:type:`connection`, p: :bro:type:`string`, e: :bro:type:`string`)
During the :abbr:`SSH (Secure Shell)` key exchange, the server
supplies its public host key. This event is generated when the
appropriate key exchange message is seen for SSH1.
:c: The connection over which the :abbr:`SSH (Secure Shell)`
connection took place.
:p: The prime for the server's public host key.
:e: The exponent for the serer's public host key.
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_auth_attempted ssh_capabilities ssh2_server_host_key
ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
ssh2_gss_error ssh2_ecc_key
.. bro:id:: ssh2_dh_server_params
:Type: :bro:type:`event` (c: :bro:type:`connection`, p: :bro:type:`string`, q: :bro:type:`string`)
Generated if the connection uses a Diffie-Hellman Group Exchange
key exchange method. This event contains the server DH parameters,
which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in
:rfc:`4419#section-3`.
:c: The connection.
:p: The DH prime modulus.
:q: The DH generator.
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_auth_attempted ssh_capabilities ssh2_server_host_key
ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
ssh2_gss_error ssh2_ecc_key
.. bro:id:: ssh2_ecc_key
:Type: :bro:type:`event` (c: :bro:type:`connection`, is_orig: :bro:type:`bool`, q: :bro:type:`string`)
The :abbr:`ECDH (Elliptic Curve Diffie-Hellman)` and
:abbr:`ECMQV (Elliptic Curve Menezes-Qu-Vanstone)` key exchange
algorithms use two ephemeral key pairs to generate a shared
secret. This event is generated when either the client's or
server's ephemeral public key is seen. For more information, see:
:rfc:`5656#section-4`.
:c: The connection
:is_orig: Did this message come from the originator?
:q: The ephemeral public key
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_auth_attempted ssh_capabilities ssh2_server_host_key
ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
ssh2_dh_server_params ssh2_gss_error
.. bro:id:: ssh2_gss_error
:Type: :bro:type:`event` (c: :bro:type:`connection`, major_status: :bro:type:`count`, minor_status: :bro:type:`count`, err_msg: :bro:type:`string`)
In the event of a GSS-API error on the server, the server MAY send
send an error message with some additional details. This event is
generated when such an error message is seen. For more information,
see :rfc:`4462#section-2.1`.
:c: The connection.
:major_status: GSS-API major status code.
:minor_status: GSS-API minor status code.
:err_msg: Detailed human-readable error message
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_auth_attempted ssh_capabilities ssh2_server_host_key
ssh1_server_host_key ssh_server_host_key ssh_encrypted_packet
ssh2_dh_server_params ssh2_ecc_key
.. bro:id:: ssh2_server_host_key
:Type: :bro:type:`event` (c: :bro:type:`connection`, key: :bro:type:`string`)
During the :abbr:`SSH (Secure Shell)` key exchange, the server
supplies its public host key. This event is generated when the
appropriate key exchange message is seen for SSH2.
:c: The connection over which the :abbr:`SSH (Secure Shell)`
connection took place.
:key: The server's public host key. Note that this is the public key
itself, and not just the fingerprint or hash.
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_auth_attempted ssh_capabilities ssh1_server_host_key
ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
ssh2_gss_error ssh2_ecc_key
.. bro:id:: ssh_auth_attempted
:Type: :bro:type:`event` (c: :bro:type:`connection`, authenticated: :bro:type:`bool`)
This event is generated when an :abbr:`SSH (Secure Shell)`
connection was determined to have had an authentication attempt.
This determination is based on packet size analysis, and errs
on the side of caution - that is, if there's any doubt about
whether or not an authenication attempt occured, this event is
*not* raised.
At this point in the protocol, all we can determine is whether
or not the user is authenticated. We don't know if the particular
attempt succeeded or failed, since some servers require multiple
authentications (e.g. require both a password AND a pubkey), and
could return an authentication failed message which is marked
as a partial success.
This event will often be raised multiple times per connection.
In almost all connections, it will be raised once unless
:c: The connection over which the :abbr:`SSH (Secure Shell)`
connection took place.
:authenticated: This is true if the analyzer detected a
successful connection from the authentication attempt.
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_capabilities ssh2_server_host_key ssh1_server_host_key
ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
ssh2_gss_error ssh2_ecc_key
.. bro:id:: ssh_auth_successful
:Type: :bro:type:`event` (c: :bro:type:`connection`, auth_method_none: :bro:type:`bool`)
This event is generated when an :abbr:`SSH (Secure Shell)`
connection was determined to have had a successful
authentication. This determination is based on packet size
analysis, and errs on the side of caution - that is, if there's any
doubt about the authentication success, this event is *not* raised.
:c: The connection over which the :abbr:`SSH (Secure Shell)`
connection took place.
:auth_method_none: This is true if the analyzer detected a
successful connection before any authentication challenge. The
:abbr:`SSH (Secure Shell)` protocol provides a mechanism for
unauthenticated access, which some servers support.
.. bro:see:: ssh_server_version ssh_client_version ssh_auth_failed
ssh_auth_result ssh_auth_attempted ssh_capabilities
ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
ssh2_ecc_key
.. bro:id:: ssh_capabilities
:Type: :bro:type:`event` (c: :bro:type:`connection`, cookie: :bro:type:`string`, capabilities: :bro:type:`SSH::Capabilities`)
During the initial :abbr:`SSH (Secure Shell)` key exchange, each
endpoint lists the algorithms that it supports, in order of
preference. This event is generated for each endpoint, when the
SSH_MSG_KEXINIT message is seen. See :rfc:`4253#section-7.1` for
details.
:c: The connection over which the :abbr:`SSH (Secure Shell)`
connection took place.
:cookie: The SSH_MSG_KEXINIT cookie - a random value generated by
the sender.
:capabilities: The list of algorithms and languages that the sender
advertises support for, in order of preference.
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_auth_attempted ssh2_server_host_key ssh1_server_host_key
ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
ssh2_gss_error ssh2_ecc_key
.. bro:id:: ssh_client_version
:Type: :bro:type:`event` (c: :bro:type:`connection`, version: :bro:type:`string`)
An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
from the client. This contains an identification string that's used
for version identification. See :rfc:`4253#section-4.2` for
details.
:c: The connection over which the message was sent.
:version: The identification string
.. bro:see:: ssh_server_version ssh_auth_successful ssh_auth_failed
ssh_auth_result ssh_auth_attempted ssh_capabilities
ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
ssh2_ecc_key
.. bro:id:: ssh_encrypted_packet
:Type: :bro:type:`event` (c: :bro:type:`connection`, orig: :bro:type:`bool`, len: :bro:type:`count`)
This event is generated when an :abbr:`SSH (Secure Shell)`
encrypted packet is seen. This event is not handled by default, but
is provided for heuristic analysis scripts. Note that you have to set
:bro:id:`SSH::disable_analyzer_after_detection` to false to use this
event. This carries a performance penalty.
:c: The connection over which the :abbr:`SSH (Secure Shell)`
connection took place.
:orig: Whether the packet was sent by the originator of the TCP
connection.
:len: The length of the :abbr:`SSH (Secure Shell)` payload, in
bytes. Note that this ignores reassembly, as this is unknown.
.. bro:see:: ssh_server_version ssh_client_version
ssh_auth_successful ssh_auth_failed ssh_auth_result
ssh_auth_attempted ssh_capabilities ssh2_server_host_key
ssh1_server_host_key ssh_server_host_key ssh2_dh_server_params
ssh2_gss_error ssh2_ecc_key
.. bro:id:: ssh_server_version
:Type: :bro:type:`event` (c: :bro:type:`connection`, version: :bro:type:`string`)
An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
from the server. This contains an identification string that's used
for version identification. See :rfc:`4253#section-4.2` for
details.
:c: The connection over which the message was sent.
:version: The identification string
.. bro:see:: ssh_client_version ssh_auth_successful ssh_auth_failed
ssh_auth_result ssh_auth_attempted ssh_capabilities
ssh2_server_host_key ssh1_server_host_key ssh_server_host_key
ssh_encrypted_packet ssh2_dh_server_params ssh2_gss_error
ssh2_ecc_key
Reference in a new issue View git blame Copy permalink