-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
geo-data.zeek
58 lines (47 loc) · 1.5 KB
/
geo-data.zeek
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
##! Geodata based detections for SSH analysis.
@load base/frameworks/notice
@load base/protocols/ssh
module SSH;
export {
redef enum Notice::Type += {
## If an SSH login is seen to or from a "watched" country based
## on the :zeek:id:`SSH::watched_countries` variable then this
## notice will be generated.
Watched_Country_Login,
};
redef record Info += {
## Add geographic data related to the "remote" host of the
## connection.
remote_location: geo_location &log &optional;
};
## The set of countries for which you'd like to generate notices upon
## successful login.
option watched_countries: set[string] = {"RO"};
}
function get_location(c: connection): geo_location
{
local lookup_ip = (c$ssh$direction == OUTBOUND) ? c$id$resp_h : c$id$orig_h;
return lookup_location(lookup_ip);
}
event ssh_auth_successful(c: connection, auth_method_none: bool) &priority=3
{
if ( ! c$ssh?$direction )
return;
if ( ! c$ssh?$remote_location )
return;
if ( c$ssh$remote_location?$country_code && c$ssh$remote_location$country_code in watched_countries )
{
NOTICE([$note=Watched_Country_Login,
$conn=c,
$msg=fmt("SSH login %s watched country: %s",
(c$ssh$direction == OUTBOUND) ? "to" : "from",
c$ssh$remote_location$country_code)]);
}
}
event ssh_auth_attempted(c: connection, authenticated: bool) &priority=3
{
if ( ! c$ssh?$direction )
return;
# Add the location data to the SSH record.
c$ssh$remote_location = get_location(c);
}