Project

General

Profile

Actions
Copy link

Task #3485

closed

Research: check SSH parsing end of banner

Added by Philippe Antoine almost 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Follows conversation on https://github.com/OISF/suricata/pull/4546#discussion_r378704002

I am not sure that SSH parser should accept single CR as end of banner, but that is what is being done by the C parser.
This is enforced by the unit tests :
https://github.com/OISF/suricata/blob/master/src/app-layer-ssh.c#L2222

This is something to test against real implementations.

OpenSSH does not accept CR as end of banner :
https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L345
It only accepts LF and CRLF

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #3445: Convert SSH parser to RustClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF