base/protocols/ssh/main.zeek¶
-
GLOBAL
¶
-
SSH
¶
Implements base functionality for SSH analysis. Generates the ssh.log file.
- Namespaces
GLOBAL, SSH
- Imports
base/protocols/conn/removal-hooks.zeek, base/utils/directions-and-hosts.zeek
Summary¶
Runtime Options¶
The set of compression algorithms. |
|
If true, after detection detach the SSH analyzer from the connection to prevent continuing to process encrypted traffic. |
Redefinitions¶
The SSH protocol logging stream identifier. |
|
|
|
Events¶
Event that can be handled to access the SSH record as it is sent on to the logging framework. |
|
This event is generated when an SSH connection was determined to have had a failed authentication. |
|
This event is generated when a determination has been made about the final authentication result of an SSH connection. |
Hooks¶
SSH finalization hook. |
|
A default logging policy hook for the stream. |
Detailed Interface¶
Runtime Options¶
-
SSH::compression_algorithms
¶ -
The set of compression algorithms. We can’t accurately determine authentication success or failure when compression is enabled.
Types¶
-
SSH::Info
¶ - Type
-
- ts:
time
&log
Time when the SSH connection began.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- version:
count
&log
SSH major version (1 or 2)
- auth_success:
bool
&log
&optional
Authentication result (T=success, F=failure, unset=unknown)
- auth_attempts:
count
&log
&default
=0
&optional
The number of authentication attemps we observed. There’s always at least one, since some servers might support no authentication at all. It’s important to note that not all of these are failures, since some servers require two-factor auth (e.g. password AND pubkey)
- direction:
Direction
&log
&optional
Direction of the connection. If the client was a local host logging into an external host, this would be OUTBOUND. INBOUND would be set for the opposite situation.
- client:
string
&log
&optional
The client’s version string
- server:
string
&log
&optional
The server’s version string
- cipher_alg:
string
&log
&optional
The encryption algorithm in use
- mac_alg:
string
&log
&optional
The signing (MAC) algorithm in use
- compression_alg:
string
&log
&optional
The compression algorithm in use
- kex_alg:
string
&log
&optional
The key exchange algorithm in use
- host_key_alg:
string
&log
&optional
The server host key’s algorithm
- host_key:
string
&log
&optional
The server’s key fingerprint
logged:
bool
&default
=F
&optional
capabilities:
SSH::Capabilities
&optional
- analyzer_id:
count
&optional
Analzyer ID
- remote_location:
geo_location
&log
&optional
(present if policy/protocols/ssh/geo-data.zeek is loaded)
Add geographic data related to the “remote” host of the connection.
- ts:
The record type which contains the fields of the SSH log.
Events¶
-
SSH::log_ssh
¶ -
Event that can be handled to access the SSH record as it is sent on to the logging framework.
-
ssh_auth_failed
¶ - Type
event
(c:connection
)
This event is generated when an SSH connection was determined to have had a failed authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication failure, this event is not raised.
This event is only raised once per connection.
- C
The connection over which the SSH connection took place.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_successful
,ssh_auth_result
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key
-
ssh_auth_result
¶ - Type
event
(c:connection
, result:bool
, auth_attempts:count
)
This event is generated when a determination has been made about the final authentication result of an SSH connection. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the result of the authentication, this event is not raised.
This event is only raised once per connection.
- C
The connection over which the SSH connection took place.
- Result
True if the authentication was successful, false if not.
- Auth_attempts
The number of authentication attempts that were observed.
See also:
ssh_server_version
,ssh_client_version
,ssh_auth_successful
,ssh_auth_failed
,ssh_auth_attempted
,ssh_capabilities
,ssh2_server_host_key
,ssh1_server_host_key
,ssh_server_host_key
,ssh_encrypted_packet
,ssh2_dh_server_params
,ssh2_gss_error
,ssh2_ecc_key