Skip to content
Permalink
Browse files
Merge pull request #10 from brimsec/master
Change to Zeek naming
  • Loading branch information
benjeems committed Apr 25, 2020
2 parents 350730f + 82f54ee commit cfa2315257eaa972e86f7fcd694712e0d32762ff
Showing with 17 additions and 17 deletions.
  1. +0 −1 bro/__load__.bro
  2. +12 −12 {bro → zeek}/README.md
  3. +1 −0 zeek/__load__.zeek
  4. +2 −2 bro/hassh.bro → zeek/hassh.zeek
  5. +2 −2 bro-pkg.meta → zkg.meta

This file was deleted.

@@ -1,28 +1,28 @@
# hassh.bro
# hassh.zeek
[![License: BSD 3-Clause License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause)

## Features
**hassh.bro** by default will add these fields to your bro ssh.log file
**hassh.zeek** by default will add these fields to your Zeek ssh.log file
- hasshVersion
- hassh, hasshAlgorithms
- hasshServer, hasshServerAlgorithms
- cshka (Client Host Key Algorithms), sshka (Server Host Key Algorithms)
- The script has been tested on Bro 2.5, 2.5.1, 2.5.5, 2.6.0, 2.6.1 and 2.6.3
- Note that bro versions < v2.6.0 had a bug which reversed the Client/server flag , see https://github.com/zeek/zeek/pull/191. The current version of the hassh.bro script does version checking to deal with these version issues. Failure to update bro and not the hassh.bro script will result in the Server and Client packets being processed incorrectly, in effect swapping around hassh with hassServer.
- The script has been tested on Bro 2.5, 2.5.1, 2.5.5, 2.6.0, 2.6.1, 2.6.3, 3.0.0 and 3.1.2
- Note that Zeek (formerly bro) versions < v2.6.0 had a bug which reversed the Client/server flag , see https://github.com/zeek/zeek/pull/191. The current version of the hassh.zeek script does version checking to deal with these version issues. Failure to update Zeek and not the hassh.zeek script will result in the Server and Client packets being processed incorrectly, in effect swapping around hassh with hassServer.

## Installation
Place hassh.bro in bro/share/bro/site/hassh and add this line to your local.bro script:
Place hassh.zeek in zeek/share/zeek/site/hassh and add this line to your local.zeek script:
```bash
@load ./hassh
```
If running Bro >=2.5 or a Bro product like Corelight, install by using the Bro Package Manager with this command:
If running Zeek >=2.5 or a Zeek product like Corelight, install by using the Zeek Package Manager with this command:
```bash
bro-pkg install hassh
zkg install hassh
```


## Configuration
**hassh.bro** by default will add these fields to your bro ssh.log file: ```hasshVersion, hassh, hasshAlgorithms, hasshServer and hasshServerAlgorithms, cshka, sshka.``` If you don't want some of these fields to be logged, simply comment those field lines out in each of the locations within hassh.bro as shown in the code blocks below.
**hassh.zeek** by default will add these fields to your Zeek ssh.log file: ```hasshVersion, hassh, hasshAlgorithms, hasshServer and hasshServerAlgorithms, cshka, sshka.``` If you don't want some of these fields to be logged, simply comment those field lines out in each of the locations within hassh.zeek as shown in the code blocks below.
```bash
redef record SSH::Info += {
hasshVersion: string &log &optional;
@@ -83,11 +83,11 @@ redef record SSH::Info += {
}
```
After ammending the bro script, don't forget to reload bro.
After ammending the Zeek script, don't forget to reload Zeek.
```bash
broctl stop
broctl install
broctl start
zeekctl stop
zeekctl install
zeekctl start
```
## Credits:
@@ -0,0 +1 @@
@load ./hassh.zeek
@@ -5,7 +5,7 @@
# Authors: Ben Reardon (breardon@salesforce.com, @benreardon) #
# : Jeff Atkinson (jatkinson@salesforce.com) #
# : John Althouse (jalthouse@salesforce.com) #
# Description: This bro script appends hassh data to ssh.log #
# Description: This Zeek script appends hassh data to ssh.log #
# by enumerating the SSH_MSG_KEXINIT packets sent #
# as clear text between the client and server as part #
# of the negotiation of an SSH connection. #
@@ -107,7 +107,7 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: SSH::Capabil
if ( !c?$ssh ) {return;}
c$hassh = HASSHStorage();

# Prior to 2.6.0 bro has a bug which it reverses the Client/server flag.
# Prior to 2.6.0 Zeek has a bug which it reverses the Client/server flag.
# See https://github.com/zeek/zeek/pull/191
# The "if" statements here do a version check to account for this bug in versions older than 2.6.0

@@ -1,5 +1,5 @@
[package]
script_dir = bro
script_dir = zeek
description = HASSH is used to identify specific Client and Server SSH implementations. The fingerprints can be stored, searched and shared in the form of an MD5 fingerprint. This package logs components to ssh.log
tags = bro plugin, ssh, fingerprint, logging
tags = zeek plugin, ssh, fingerprint, logging
version = 1.0

0 comments on commit cfa2315

Please sign in to comment.