base/bif/plugins/Zeek_SSH.events.bif.zeek

GLOBAL
Namespace:GLOBAL

Summary

Events

ssh1_server_host_key: event During the SSH key exchange, the server supplies its public host key.
ssh2_dh_server_params: event Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method.
ssh2_ecc_key: event The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret.
ssh2_gss_error: event In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details.
ssh2_server_host_key: event During the SSH key exchange, the server supplies its public host key.
ssh_auth_attempted: event This event is generated when an SSH connection was determined to have had an authentication attempt.
ssh_auth_successful: event This event is generated when an SSH connection was determined to have had a successful authentication.
ssh_capabilities: event During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference.
ssh_client_version: event An SSH Protocol Version Exchange message from the client.
ssh_encrypted_packet: event This event is generated when an SSH encrypted packet is seen.
ssh_server_host_key: event During the SSH key exchange, the server supplies its public host key.
ssh_server_version: event An SSH Protocol Version Exchange message from the server.

Detailed Interface

Events

ssh1_server_host_key
Type:event (c: connection, p: string &deprecated = "Remove in v4.1", e: string &deprecated = "Remove in v4.1", modulus: string, exponent: string)
Type:event (c: connection, modulus: string, exponent: string)
Type:event (c: connection, p: string, e: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.

C:The connection over which the SSH connection took place.
P:The exponent for the server’s public host key (note this parameter is truly the exponent even though named p and the exponent parameter will eventually replace it).
E:The prime modulus for the server’s public host key (note this parameter is truly the modulus even though named e and the modulus parameter will eventually replace it).
Modulus:The prime modulus of the server’s public host key.
Exponent:The exponent of the server’s public host key.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh2_dh_server_params
Type:event (c: connection, p: string, q: string)

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.

C:The connection.
P:The DH prime modulus.
Q:The DH generator.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_gss_error, ssh2_ecc_key

ssh2_ecc_key
Type:event (c: connection, is_orig: bool, q: string)

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.

C:The connection
Is_orig:Did this message come from the originator?
Q:The ephemeral public key

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error

ssh2_gss_error
Type:event (c: connection, major_status: count, minor_status: count, err_msg: string)

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.

C:The connection.
Major_status:GSS-API major status code.
Minor_status:GSS-API minor status code.
Err_msg:Detailed human-readable error message

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_ecc_key

ssh2_server_host_key
Type:event (c: connection, key: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.

C:The connection over which the SSH connection took place.
Key:The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_attempted
Type:event (c: connection, authenticated: bool)

This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authenication attempt occured, this event is not raised.

At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.

This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless

C:The connection over which the SSH connection took place.
Authenticated:This is true if the analyzer detected a successful connection from the authentication attempt.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_successful
Type:event (c: connection, auth_method_none: bool)

This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.

C:The connection over which the SSH connection took place.
Auth_method_none:
 This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support.

See also: ssh_server_version, ssh_client_version, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_capabilities
Type:event (c: connection, cookie: string, capabilities: SSH::Capabilities)

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.

C:The connection over which the SSH connection took place.
Cookie:The SSH_MSG_KEXINIT cookie - a random value generated by the sender.
Capabilities:The list of algorithms and languages that the sender advertises support for, in order of preference.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_client_version
Type:event (c: connection, version: string)

An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C:The connection over which the message was sent.
Version:The identification string

See also: ssh_server_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_encrypted_packet
Type:event (c: connection, orig: bool, len: count)

This event is generated when an SSH encrypted packet is seen. This event is not handled by default, but is provided for heuristic analysis scripts. Note that you have to set SSH::disable_analyzer_after_detection to false to use this event. This carries a performance penalty.

C:The connection over which the SSH connection took place.
Orig:Whether the packet was sent by the originator of the TCP connection.
Len:The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_server_host_key
Type:event (c: connection, hash: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1 or SSH2 and provides a fingerprint of the server’s host key.

C:The connection over which the SSH connection took place.
Hash:an MD5 hash fingerprint associated with the server’s host key. For SSH2, this is the hash of the “server public host key” string as seen on the wire in the Diffie-Hellman key exchange reply message (the string itself, excluding the 4-byte length associated with it), which is also the key parameter of ssh2_server_host_key For SSH1, this is the hash of the combined multiprecision integer strings representing the RSA1 key’s prime modulus and public exponent (concatenated in that order) as seen on the wire, which are also the parameters of ssh1_server_host_key. In either case, the hash is the same “fingerprint” string as presented by other traditional tools, ssh, ssh-keygen, etc, and is the hexadecimal representation of all 16 MD5 hash bytes delimited by colons.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_server_version
Type:event (c: connection, version: string)

An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C:The connection over which the message was sent.
Version:The identification string

See also: ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key