base/bif/plugins/Zeek_SSH.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

ssh1_server_host_key: event

During the SSH key exchange, the server supplies its public host key.

ssh2_dh_server_params: event

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method.

ssh2_ecc_key: event

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret.

ssh2_gss_error: event

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details.

ssh2_server_host_key: event

During the SSH key exchange, the server supplies its public host key.

ssh_auth_attempted: event

This event is generated when an SSH connection was determined to have had an authentication attempt.

ssh_auth_successful: event

This event is generated when an SSH connection was determined to have had a successful authentication.

ssh_capabilities: event

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference.

ssh_client_version: event

An SSH Protocol Version Exchange message from the client.

ssh_encrypted_packet: event

This event is generated when an SSH encrypted packet is seen.

ssh_server_host_key: event

During the SSH key exchange, the server supplies its public host key.

ssh_server_version: event

An SSH Protocol Version Exchange message from the server.

Detailed Interface

Events

ssh1_server_host_key
Type

event (c: connection, modulus: string, exponent: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.

C

The connection over which the SSH connection took place.

P

The exponent for the server’s public host key (note this parameter is truly the exponent even though named p and the exponent parameter will eventually replace it).

E

The prime modulus for the server’s public host key (note this parameter is truly the modulus even though named e and the modulus parameter will eventually replace it).

Modulus

The prime modulus of the server’s public host key.

Exponent

The exponent of the server’s public host key.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh2_dh_server_params
Type

event (c: connection, p: string, q: string)

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.

C

The connection.

P

The DH prime modulus.

Q

The DH generator.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_gss_error, ssh2_ecc_key

ssh2_ecc_key
Type

event (c: connection, is_orig: bool, q: string)

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.

C

The connection

Is_orig

Did this message come from the originator?

Q

The ephemeral public key

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error

ssh2_gss_error
Type

event (c: connection, major_status: count, minor_status: count, err_msg: string)

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.

C

The connection.

Major_status

GSS-API major status code.

Minor_status

GSS-API minor status code.

Err_msg

Detailed human-readable error message

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_ecc_key

ssh2_server_host_key
Type

event (c: connection, key: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.

C

The connection over which the SSH connection took place.

Key

The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_attempted
Type

event (c: connection, authenticated: bool)

This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authentication attempt occurred, this event is not raised.

At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.

This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless

C

The connection over which the SSH connection took place.

Authenticated

This is true if the analyzer detected a successful connection from the authentication attempt.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_successful
Type

event (c: connection, auth_method_none: bool)

This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.

C

The connection over which the SSH connection took place.

Auth_method_none

This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support.

See also: ssh_server_version, ssh_client_version, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_capabilities
Type

event (c: connection, cookie: string, capabilities: SSH::Capabilities)

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.

C

The connection over which the SSH connection took place.

Cookie

The SSH_MSG_KEXINIT cookie - a random value generated by the sender.

Capabilities

The list of algorithms and languages that the sender advertises support for, in order of preference.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_client_version
Type

event (c: connection, version: string)

An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C

The connection over which the message was sent.

Version

The identification string

See also: ssh_server_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_encrypted_packet
Type

event (c: connection, orig: bool, len: count)

This event is generated when an SSH encrypted packet is seen. This event is not handled by default, but is provided for heuristic analysis scripts. Note that you have to set SSH::disable_analyzer_after_detection to false to use this event. This carries a performance penalty.

C

The connection over which the SSH connection took place.

Orig

Whether the packet was sent by the originator of the TCP connection.

Len

The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_server_host_key
Type

event (c: connection, hash: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1 or SSH2 and provides a fingerprint of the server’s host key.

C

The connection over which the SSH connection took place.

Hash

an MD5 hash fingerprint associated with the server’s host key. For SSH2, this is the hash of the “server public host key” string as seen on the wire in the Diffie-Hellman key exchange reply message (the string itself, excluding the 4-byte length associated with it), which is also the key parameter of ssh2_server_host_key For SSH1, this is the hash of the combined multiprecision integer strings representing the RSA1 key’s prime modulus and public exponent (concatenated in that order) as seen on the wire, which are also the parameters of ssh1_server_host_key. In either case, the hash is the same “fingerprint” string as presented by other traditional tools, ssh, ssh-keygen, etc, and is the hexadecimal representation of all 16 MD5 hash bytes delimited by colons.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_server_version
Type

event (c: connection, version: string)

An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C

The connection over which the message was sent.

Version

The identification string

See also: ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key