base/protocols/ssh/main.bro

SSH

Base SSH analysis script. The heuristic to blindly determine success or failure for SSH connections is implemented here. At this time, it only uses the size of the data being returned from the server to make the heuristic determination about success of the connection. Requires that use_conn_size_analyzer is set to T! The heuristic is not attempted if the connection size analyzer isn’t enabled.

Namespace:SSH
Imports:base/frameworks/notice, base/protocols/conn, base/utils/conn-ids.bro, base/utils/directions-and-hosts.bro, base/utils/site.bro, base/utils/thresholds.bro
Source File:/scripts/base/protocols/ssh/main.bro

Summary

Options

SSH::authentication_data_size: count &redef The size in bytes of data sent by the server at which the SSH connection is presumed to be successful.
SSH::skip_processing_after_detection: bool &redef If true, we tell the event engine to not look at further data packets after the initial SSH handshake.

Types

SSH::Info: record  

Redefinitions

Log::ID: enum The SSH protocol logging stream identifier.
connection: record  
likely_server_ports: set &redef  

Events

SSH::heuristic_failed_login: event Event that is generated when the heuristic thinks that a login failed.
SSH::heuristic_successful_login: event Event that is generated when the heuristic thinks that a login was successful.
SSH::log_ssh: event Event that can be handled to access the SSH::Info record as it is sent on to the logging framework.

Detailed Interface

Options

SSH::authentication_data_size
Type:count
Attributes:&redef
Default:4000

The size in bytes of data sent by the server at which the SSH connection is presumed to be successful.

SSH::skip_processing_after_detection
Type:bool
Attributes:&redef
Default:F

If true, we tell the event engine to not look at further data packets after the initial SSH handshake. Helps with performance (especially with large file transfers) but precludes some kinds of analyses.

Types

SSH::Info
Type:

record

ts: time &log

Time when the SSH connection began.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

status: string &log &default = "undetermined" &optional

Indicates if the login was heuristically guessed to be “success”, “failure”, or “undetermined”.

direction: Direction &log &optional

Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.

client: string &log &optional

Software string from the client.

server: string &log &optional

Software string from the server.

done: bool &default = F &optional

Indicate if the SSH session is done being watched.

remote_location: geo_location &log &optional

(present if policy/protocols/ssh/geo-data.bro is loaded)

Add geographic data related to the “remote” host of the connection.

Events

SSH::heuristic_failed_login
Type:event (c: connection)

Event that is generated when the heuristic thinks that a login failed.

SSH::heuristic_successful_login
Type:event (c: connection)

Event that is generated when the heuristic thinks that a login was successful.

SSH::log_ssh
Type:event (rec: SSH::Info)

Event that can be handled to access the SSH::Info record as it is sent on to the logging framework.

Copyright 2013, The Bro Project. Last updated on June 15, 2015. Created using Sphinx 1.2.2.