Issue 774: securityonion-elsa-extras: update bro_ssh parser for Bro 2.4

contrib/parsers/bro_ssh

@@ -3,29 +3,29 @@
   <rules>
     <rule provider="Security_Onion" class="26007" id="26007">
       <patterns>
-        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@@ESTRING::@</pattern>
+        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@@ESTRING::@</pattern>
       </patterns>
       <examples>
         <example>
-          <test_message program="bro_ssh">1385320083.369326|CPGlXxZ5k36JLyD8k|192.168.4.151|46133|192.168.4.150|22|success|OUTBOUND|SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1|-|-|-|-|-|-</test_message>
+          <test_message program="bro_ssh">1436555953.765764|CnZKS10trXfqFTCu8|203.0.113.77|65438|192.168.3.5|22|2|T|INBOUND|SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503|SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1|aes128-cbc|hmac-md5|none|diffie-hellman-group-exchange-sha256|ssh-rsa|56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3|AU|-|-|-|-</test_message>
           <!-- srcip -->
-          <test_value name="i0">192.168.4.151</test_value>
+          <test_value name="i0">203.0.113.77</test_value>
           <!-- srcport -->
-          <test_value name="i1">46133</test_value>
+          <test_value name="i1">65438</test_value>
           <!-- dstip -->
-          <test_value name="i2">192.168.4.150</test_value>
+          <test_value name="i2">192.168.3.5</test_value>
           <!-- dstport -->
           <test_value name="i3">22</test_value>
           <!-- status -->
-          <test_value name="s0">success</test_value>
+          <test_value name="s0">T</test_value>
           <!-- direction -->
-          <test_value name="s1">OUTBOUND</test_value>
+          <test_value name="s1">INBOUND</test_value>
           <!-- client -->
-          <test_value name="s2">SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1</test_value>
+          <test_value name="s2">SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503</test_value>
           <!-- server -->
-          <test_value name="s3">-</test_value>
+          <test_value name="s3">SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1</test_value>
           <!-- country -->
-          <test_value name="s4">-</test_value>
+          <test_value name="s4">AU</test_value>
           <!-- region -->
           <test_value name="s5">-</test_value>
         </example>

debian/changelog

@@ -1,3 +1,9 @@
+securityonion-elsa-extras (20131117-1ubuntu0securityonion96) precise; urgency=low
+
+  * Issue 774: securityonion-elsa-extras: update bro_ssh parser for Bro 2.4 
+
+ -- Doug Burks <[email protected]>  Fri, 10 Jul 2015 15:34:53 -0400
+
 securityonion-elsa-extras (20131117-1ubuntu0securityonion95) precise; urgency=low
 
   * Issue 773: securityonion-elsa-extras: add Windows and Cisco parsers from Brian Kellogg 

debian/patches/Issue-774:-securityonion-elsa-extras:-update-bro_ssh-parser-for-Bro-2.4

@@ -0,0 +1,67 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-elsa-extras (20131117-1ubuntu0securityonion96) precise; urgency=low
+ .
+   * Issue 774: securityonion-elsa-extras: update bro_ssh parser for Bro 2.4
+Author: Doug Burks <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-elsa-extras-20131117.orig/contrib/parsers/bro_ssh
++++ securityonion-elsa-extras-20131117/contrib/parsers/bro_ssh
+@@ -3,29 +3,29 @@
+   <rules>
+     <rule provider="Security_Onion" class="26007" id="26007">
+       <patterns>
+-        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@@ESTRING::@</pattern>
++        <pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTRING:i3:|@@ESTRING::|@@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING::|@@ESTRING:s4:|@@ESTRING:s5:|@@ESTRING::|@@ESTRING::|@@ESTRING::@</pattern>
+       </patterns>
+       <examples>
+         <example>
+-          <test_message program="bro_ssh">1385320083.369326|CPGlXxZ5k36JLyD8k|192.168.4.151|46133|192.168.4.150|22|success|OUTBOUND|SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1|-|-|-|-|-|-</test_message>
++          <test_message program="bro_ssh">1436555953.765764|CnZKS10trXfqFTCu8|203.0.113.77|65438|192.168.3.5|22|2|T|INBOUND|SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503|SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1|aes128-cbc|hmac-md5|none|diffie-hellman-group-exchange-sha256|ssh-rsa|56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3|AU|-|-|-|-</test_message>
+           <!-- srcip -->
+-          <test_value name="i0">192.168.4.151</test_value>
++          <test_value name="i0">203.0.113.77</test_value>
+           <!-- srcport -->
+-          <test_value name="i1">46133</test_value>
++          <test_value name="i1">65438</test_value>
+           <!-- dstip -->
+-          <test_value name="i2">192.168.4.150</test_value>
++          <test_value name="i2">192.168.3.5</test_value>
+           <!-- dstport -->
+           <test_value name="i3">22</test_value>
+           <!-- status -->
+-          <test_value name="s0">success</test_value>
++          <test_value name="s0">T</test_value>
+           <!-- direction -->
+-          <test_value name="s1">OUTBOUND</test_value>
++          <test_value name="s1">INBOUND</test_value>
+           <!-- client -->
+-          <test_value name="s2">SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1</test_value>
++          <test_value name="s2">SSH-2.0-OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503</test_value>
+           <!-- server -->
+-          <test_value name="s3">-</test_value>
++          <test_value name="s3">SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1</test_value>
+           <!-- country -->
+-          <test_value name="s4">-</test_value>
++          <test_value name="s4">AU</test_value>
+           <!-- region -->
+           <test_value name="s5">-</test_value>
+         </example>

debian/patches/series

@@ -56,3 +56,4 @@ securityonion-elsa-extras:-update-bro_conn-parser-for-Bro-2.4-#762
 securityonion-elsa-extras:-update-bro_intel-parser-for-Bro-2.4-#765
 securityonion-elsa-extras:-update-bro_ssl-parser-for-Bro-2.4-#768
 Issue-773:-securityonion-elsa-extras:-add-Windows-and-Cisco-parsers-from-Brian-Kellogg
+Issue-774:-securityonion-elsa-extras:-update-bro_ssh-parser-for-Bro-2.4