Skip to content

Commit

Permalink
fix problem setting ssh version changing evidence3
Browse files Browse the repository at this point in the history
  • Loading branch information
AlyaGomaa committed Feb 2, 2024
1 parent f593e9d commit a60b734
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 23 deletions.
9 changes: 6 additions & 3 deletions modules/flowalerts/flowalerts.py
Original file line number Diff line number Diff line change
Expand Up @@ -1033,9 +1033,12 @@ def check_multiple_ssh_versions(
uids = [cached_ssh_versions['uid'], flow['uid']]
self.set_evidence.multiple_ssh_versions(
flow['saddr'],
flow['daddr'],
cached_versions, current_versions,
flow['starttime'], twid, uids, role=role
cached_versions,
current_versions,
flow['starttime'],
twid,
uids,
role=role
)
return True

Expand Down
22 changes: 2 additions & 20 deletions modules/flowalerts/set_evidence.py
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,6 @@ def young_domain(
def multiple_ssh_versions(
self,
srcip: str,
dstip: str,
cached_versions: str,
current_versions: str,
timestamp: str,
Expand All @@ -83,26 +82,10 @@ def multiple_ssh_versions(
:param role: can be 'SSH::CLIENT' or
'SSH::SERVER' as seen in zeek software.log flows
"""
if role.upper() == 'CLIENT':
attacker = srcip
attacker_direction = Direction.SRC
victim = dstip
victim_direction = Direction.DST
else:
attacker = dstip
attacker_direction = Direction.DST
victim = srcip
victim_direction = Direction.SRC

attacker = Attacker(
direction=attacker_direction,
direction=Direction.SRC,
attacker_type=IoCType.IP,
value=attacker
)
victim = Victim(
direction=victim_direction,
victim_type=IoCType.IP,
value=victim
value=srcip
)
role = 'client' if 'CLIENT' in role.upper() else 'server'
description = f'SSH {role} version changing from ' \
Expand All @@ -114,7 +97,6 @@ def multiple_ssh_versions(
threat_level=ThreatLevel.MEDIUM,
category=IDEACategory.ANOMALY_TRAFFIC,
description=description,
victim=victim,
profile=ProfileID(ip=attacker.value),
timewindow=TimeWindow(int(twid.replace("timewindow", ''))),
uid=uid,
Expand Down

0 comments on commit a60b734

Please sign in to comment.