base/bif/plugins/Bro_SSH.events.bif.bro

GLOBAL
Namespace:GLOBAL
Source File:/scripts/base/bif/plugins/Bro_SSH.events.bif.bro

Summary

Events

ssh1_server_host_key: event During the SSH key exchange, the server supplies its public host key.
ssh2_dh_server_params: event Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method.
ssh2_ecc_key: event The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret.
ssh2_gss_error: event In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details.
ssh2_server_host_key: event During the SSH key exchange, the server supplies its public host key.
ssh_auth_attempted: event This event is generated when an SSH connection was determined to have had an authentication attempt.
ssh_auth_successful: event This event is generated when an SSH connection was determined to have had a successful authentication.
ssh_capabilities: event During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference.
ssh_client_version: event An SSH Protocol Version Exchange message from the client.
ssh_encrypted_packet: event This event is generated when an SSH encrypted packet is seen.
ssh_server_version: event An SSH Protocol Version Exchange message from the server.

Detailed Interface

Events

ssh1_server_host_key
Type:event (c: connection, p: string, e: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH1.

C:The connection over which the SSH connection took place.
P:The prime for the server’s public host key.
E:The exponent for the serer’s public host key.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh2_dh_server_params
Type:event (c: connection, p: string, q: string)

Generated if the connection uses a Diffie-Hellman Group Exchange key exchange method. This event contains the server DH parameters, which are sent in the SSH_MSG_KEY_DH_GEX_GROUP message as defined in RFC 4419#section-3.

C:The connection.
P:The DH prime modulus.
Q:The DH generator.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_gss_error, ssh2_ecc_key

ssh2_ecc_key
Type:event (c: connection, is_orig: bool, q: string)

The ECDH and ECMQV key exchange algorithms use two ephemeral key pairs to generate a shared secret. This event is generated when either the client’s or server’s ephemeral public key is seen. For more information, see: RFC 5656#section-4.

C:The connection
Is_orig:Did this message come from the originator?
Q:The ephemeral public key

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error

ssh2_gss_error
Type:event (c: connection, major_status: count, minor_status: count, err_msg: string)

In the event of a GSS-API error on the server, the server MAY send send an error message with some additional details. This event is generated when such an error message is seen. For more information, see RFC 4462#section-2.1.

C:The connection.
Major_status:GSS-API major status code.
Minor_status:GSS-API minor status code.
Err_msg:Detailed human-readable error message

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_ecc_key

ssh2_server_host_key
Type:event (c: connection, key: string)

During the SSH key exchange, the server supplies its public host key. This event is generated when the appropriate key exchange message is seen for SSH2.

C:The connection over which the SSH connection took place.
Key:The server’s public host key. Note that this is the public key itself, and not just the fingerprint or hash.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_attempted
Type:event (c: connection, authenticated: bool)

This event is generated when an SSH connection was determined to have had an authentication attempt. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about whether or not an authenication attempt occured, this event is not raised.

At this point in the protocol, all we can determine is whether or not the user is authenticated. We don’t know if the particular attempt succeeded or failed, since some servers require multiple authentications (e.g. require both a password AND a pubkey), and could return an authentication failed message which is marked as a partial success.

This event will often be raised multiple times per connection. In almost all connections, it will be raised once unless

C:The connection over which the SSH connection took place.
Authenticated:This is true if the analyzer detected a successful connection from the authentication attempt.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_auth_successful
Type:event (c: connection, auth_method_none: bool)

This event is generated when an SSH connection was determined to have had a successful authentication. This determination is based on packet size analysis, and errs on the side of caution - that is, if there’s any doubt about the authentication success, this event is not raised.

C:The connection over which the SSH connection took place.
Auth_method_none:
 This is true if the analyzer detected a successful connection before any authentication challenge. The SSH protocol provides a mechanism for unauthenticated access, which some servers support.

See also: ssh_server_version, ssh_client_version, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_capabilities
Type:event (c: connection, cookie: string, capabilities: SSH::Capabilities)

During the initial SSH key exchange, each endpoint lists the algorithms that it supports, in order of preference. This event is generated for each endpoint, when the SSH_MSG_KEXINIT message is seen. See RFC 4253#section-7.1 for details.

C:The connection over which the SSH connection took place.
Cookie:The SSH_MSG_KEXINIT cookie - a random value generated by the sender.
Capabilities:The list of algorithms and languages that the sender advertises support for, in order of preference.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_client_version
Type:event (c: connection, version: string)

An SSH Protocol Version Exchange message from the client. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C:The connection over which the message was sent.
Version:The identification string

See also: ssh_server_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_encrypted_packet
Type:event (c: connection, orig: bool, len: count)

This event is generated when an SSH encrypted packet is seen. This event is not handled by default, but is provided for heuristic analysis scripts. Note that you have to set SSH::disable_analyzer_after_detection to false to use this event. This carries a performance penalty.

C:The connection over which the SSH connection took place.
Orig:Whether the packet was sent by the originator of the TCP connection.
Len:The length of the SSH payload, in bytes. Note that this ignores reassembly, as this is unknown.

See also: ssh_server_version, ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key

ssh_server_version
Type:event (c: connection, version: string)

An SSH Protocol Version Exchange message from the server. This contains an identification string that’s used for version identification. See RFC 4253#section-4.2 for details.

C:The connection over which the message was sent.
Version:The identification string

See also: ssh_client_version, ssh_auth_successful, ssh_auth_failed, ssh_auth_result, ssh_auth_attempted, ssh_capabilities, ssh2_server_host_key, ssh1_server_host_key, ssh_server_host_key, ssh_encrypted_packet, ssh2_dh_server_params, ssh2_gss_error, ssh2_ecc_key


Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.