Merge pull request #5 from piercema/ssh_packet_count

Ssh packet count

config/zeek.env.example

@@ -62,6 +62,8 @@ EXTRACTED_FILE_HTTP_SERVER_ZIP=false
 EXTRACTED_FILE_HTTP_SERVER_MAGIC=false
 # HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved")
 EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true
+# Adjust how often the JA4SSH hash is calculated.
+ZEEK_JA4SSH_PACKET_COUNT=200
 # Environment variables for tweaking Zeek at runtime (see local.zeek)
 #   Set to true to disable the corresponding feature
 ZEEK_DISABLE_HASH_ALL_FILES=
@@ -96,4 +98,4 @@ ZEEK_SYNCHROPHASOR_PORTS=
 ZEEK_SYNCHROPHASOR_DETAILED=
 ZEEK_GENISYS_PORTS=
 ZEEK_ENIP_PORTS=
-ZEEK_DISABLE_BEST_GUESS_ICS=true
+ZEEK_DISABLE_BEST_GUESS_ICS=true

docs/malcolm-config.md

@@ -130,6 +130,7 @@ Although the configuration script automates many of the following configuration
     - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`)
     - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration)
     - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh)
+    - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets; x is set here (defaults to 200)
     - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER`
         + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization.
     - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local
@@ -176,4 +177,4 @@ In instances where Malcolm is deployed with the intention of running indefinitel
     - `EXTRACTED_FILE_PRUNE_INTERVAL_SECONDS` - the interval between checking the prune conditions, in seconds (default `300`)
 * [Index management policies](index-management.md) can be handled via plugins provided as part of the OpenSearch and Elasticsearch platforms, respectively. In addition to those tools, the `OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT` variable in **`dashboards-helper.env`** defines a maximum cumulative that OpenSearch indices are allowed to consume before the oldest indices [are deleted]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/opensearch_index_size_prune.py), specified as either as a human-readable data size (e.g., `250G`) or as a percentage of the total disk size (e.g., `70%`): e.g., a value of `500G` means "delete the oldest OpenSearch indices if the total space consumed by Malcolm's indices exceeds five hundred gigabytes."
 
-Similar settings exist on for managing disk usage [Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage).
+Similar settings exist on for managing disk usage [Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage).

hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek

@@ -16,6 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT"));
 global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F;
@@ -282,6 +283,7 @@ event zeek_init() &priority=-5 {
   redef LDAP::default_capture_password = T;
 @endif
 
+redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count;
 redef HTTP::log_client_header_names = T;
 redef HTTP::log_server_header_names = T;
 redef LDAP::default_log_search_attributes = F;

hedgehog-iso/interface/sensor_ctl/control_vars.conf

@@ -145,6 +145,7 @@ export ZEEK_DISABLE_ICS_PROFINET=
 export ZEEK_DISABLE_ICS_PROFINET_IO_CM=
 export ZEEK_DISABLE_ICS_S7COMM=
 export ZEEK_DISABLE_ICS_SYNCHROPHASOR=
+export ZEEK_JA4SSH_PACKET_COUNT=200
 export ZEEK_SYNCHROPHASOR_PORTS=
 export ZEEK_SYNCHROPHASOR_DETAILED=
 export ZEEK_GENISYS_PORTS=

shared/bin/zeek_install_plugins.sh

@@ -121,7 +121,7 @@ ZKG_GITHUB_URLS=(
   "https://github.com/corelight/zeek-xor-exe-plugin|master"
   "https://github.com/corelight/zerologon"
   "https://github.com/cybera/zeek-sniffpass"
-  "https://github.com/FoxIO-LLC/ja4"
+  "https://github.com/piercema/ja4"
   "https://github.com/mmguero-dev/bzar"
   "https://github.com/ncsa/bro-is-darknet"
   "https://github.com/ncsa/bro-simple-scan"

zeek/config/local.zeek

@@ -16,6 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT"));
 global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F;
@@ -282,6 +283,7 @@ event zeek_init() &priority=-5 {
   redef LDAP::default_capture_password = T;
 @endif
 
+redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count;
 redef HTTP::log_client_header_names = T;
 redef HTTP::log_server_header_names = T;
 redef LDAP::default_log_search_attributes = F;