base/protocols/ssh/main.bro
-
SSH
Base SSH analysis script. The heuristic to blindly determine success or
failure for SSH connections is implemented here. At this time, it only
uses the size of the data being returned from the server to make the
heuristic determination about success of the connection.
Requires that use_conn_size_analyzer is set to T! The heuristic
is not attempted if the connection size analyzer isn’t enabled.
Detailed Interface
Options
-
SSH::authentication_data_size
-
The size in bytes of data sent by the server at which the SSH
connection is presumed to be successful.
-
SSH::skip_processing_after_detection
-
If true, we tell the event engine to not look at further data
packets after the initial SSH handshake. Helps with performance
(especially with large file transfers) but precludes some
kinds of analyses.
Events
-
SSH::heuristic_failed_login
-
Event that is generated when the heuristic thinks that a login
failed.
-
SSH::heuristic_successful_login
-
Event that is generated when the heuristic thinks that a login
was successful.
-
SSH::log_ssh
-
Event that can be handled to access the SSH::Info
record as it is sent on to the logging framework.