base/bif/plugins/Bro_SSH.events.bif.bro

GLOBAL

Namespace:	GLOBAL
Source File:	`/scripts/base/bif/plugins/Bro_SSH.events.bif.bro`

Summary

Events

`ssh1_server_host_key`: `event`	During the SSH key exchange, the server supplies its public host key.
`ssh2_dh_server_params`: `event`	Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method.
`ssh2_ecc_key`: `event`	The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret.
`ssh2_gss_error`: `event`	In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details.
`ssh2_server_host_key`: `event`	During the SSH key exchange, the server supplies its public host key.
`ssh_auth_attempted`: `event`	This event is generated when an SSH connection was determined to have had an authentication attempt.
`ssh_auth_successful`: `event`	This event is generated when an SSH connection was determined to have had a successful authentication.
`ssh_capabilities`: `event`	During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference.
`ssh_client_version`: `event`	An SSH Protocol Version Exchange message from the client.
`ssh_encrypted_packet`: `event`	This event is generated when an SSH encrypted packet is seen.
`ssh_server_version`: `event`	An SSH Protocol Version Exchange message from the server.

Detailed Interface

Events

ssh1_server_host_key

Type:	`event` (c: `connection`, p: `string`, e: `string`)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.

C:	The connection over which the SSH connection took place.
P:	The prime for the server’s public host key.
E:	The exponent for the serer’s public host key.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh2_dh_server_params

Type:	`event` (c: `connection`, p: `string`, q: `string`)

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.

C:	The connection.
P:	The DH prime modulus.
Q:	The DH generator.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_gss_error, ssh2_ecc_key

ssh2_ecc_key

Type:	`event` (c: `connection`, is_orig: `bool`, q: `string`)

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.

C:	The connection
Is_orig:	Did this message come from the originator?
Q:	The ephemeral public key

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error

ssh2_gss_error

Type:	`event` (c: `connection`, major_status: `count`, minor_status: `count`, err_msg: `string`)

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.

C:	The connection.
Major_status:	GSS-API major status code.
Minor_status:	GSS-API minor status code.
Err_msg:	Detailed human-readable error message

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_ecc_key

ssh2_server_host_key

Type:	`event` (c: `connection`, key: `string`)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.

C:	The connection over which the SSH connection took place.
Key:	The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_attempted

Type:	`event` (c: `connection`, authenticated: `bool`)

This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authenication attempt occured, this event is not raised.

At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.

This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless

C:	The connection over which the SSH connection took place.
Authenticated:	This is true if the analyzer detected a successful connection from the authentication attempt.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_successful

Type:	`event` (c: `connection`, auth_method_none: `bool`)

This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.

Auth_method_none:
C:	The connection over which the SSH connection took place.
	This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support.

See also: ssh_server_version, ssh_client_version, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_capabilities

Type:	`event` (c: `connection`, cookie: `string`, capabilities: `SSH::Capabilities`)

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.

C:	The connection over which the SSH connection took place.
Cookie:	The SSH_MSG_KEXINIT cookie - a random value generated by the sender.
Capabilities:	The list of algorithms and languages that the sender advertises support for, in order of preference.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_client_version

Type:	`event` (c: `connection`, version: `string`)

An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C:	The connection over which the message was sent.
Version:	The identification string

See also: ssh_server_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_encrypted_packet

Type:	`event` (c: `connection`, orig: `bool`, len: `count`)

This event is generated when an SSH encrypted packet is seen. This event is not handled by default, but is provided for heuristic analysis scripts. Note that you have to set SSH::disable_analyzer_after_detection to false to use this event. This carries a performance penalty.

C:	The connection over which the SSH connection took place.
Orig:	Whether the packet was sent by the originator of the TCP connection.
Len:	The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_server_version

Type:	`event` (c: `connection`, version: `string`)

An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C:	The connection over which the message was sent.
Version:	The identification string

See also: ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

base/bif/plugins/Bro_SSH.events.bif.bro

Summary

Events

Detailed Interface

Events

Table of Contents

Next Page

Previous Page

base/bif/plugins/Bro_SSH.events.bif.bro

Summary

Events

Detailed Interface

Events

Table of Contents

Next Page

Previous Page

Search