base/protocols/ssh/main.bro

SSH

Implements base functionality for SSH analysis. Generates the ssh.log file.

Namespace:SSH
Imports:base/utils/directions-and-hosts.bro
Source File:/scripts/base/protocols/ssh/main.bro

Summary

Options

SSH::compression_algorithms: set &redef The set of compression algorithms.
SSH::skip_processing_after_detection: bool &redef If true, we tell the event engine to not look at further data packets after the initial SSH handshake.

Types

SSH::Info: record  

Redefinitions

Log::ID: enum The SSH protocol logging stream identifier.
SSH::Info: record  
connection: record  
likely_server_ports: set &redef  

Events

SSH::log_ssh: event Event that can be handled to access the SSH record as it is sent on to the logging framework.
SSH::ssh_server_host_key: event Event that can be handled when the analyzer sees an SSH server host key.

Detailed Interface

Options

SSH::compression_algorithms
Type:set [string]
Attributes:&redef
Default:
{
   "zlib@openssh.com",
   "zlib"
}

The set of compression algorithms. We can’t accurately determine authentication success or failure when compression is enabled.

SSH::skip_processing_after_detection
Type:bool
Attributes:&redef
Default:T

If true, we tell the event engine to not look at further data packets after the initial SSH handshake. Helps with performance (especially with large file transfers) but precludes some kinds of analyses. Defaults to T.

Types

SSH::Info
Type:

record

ts: time &log

Time when the SSH connection began.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

version: count &log

SSH major version (1 or 2)

auth_success: bool &log &optional

Authentication result (T=success, F=failure, unset=unknown)

direction: Direction &log &optional

Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.

client: string &log &optional

The client’s version string

server: string &log &optional

The server’s version string

cipher_alg: string &log &optional

The encryption algorithm in use

mac_alg: string &log &optional

The signing (MAC) algorithm in use

compression_alg: string &log &optional

The compression algorithm in use

kex_alg: string &log &optional

The key exchange algorithm in use

host_key_alg: string &log &optional

The server host key’s algorithm

host_key: string &log &optional

The server’s key fingerprint

logged: bool &default = F &optional

num_failures: count &default = 0 &optional

capabilities: SSH::Capabilities &optional

remote_location: geo_location &log &optional

(present if policy/protocols/ssh/geo-data.bro is loaded)

Add geographic data related to the “remote” host of the connection.

Events

SSH::log_ssh
Type:event (rec: SSH::Info)

Event that can be handled to access the SSH record as it is sent on to the logging framework.

SSH::ssh_server_host_key
Type:event (c: connection, hash: string)

Event that can be handled when the analyzer sees an SSH server host key. This abstracts ssh1_server_host_key and ssh2_server_host_key.

Copyright 2013, The Bro Project. Last updated on July 19, 2016. Created using Sphinx 1.4.4.