Feature #4148
openResearch: SSH Support for additional protocol analysis
Description
Chris G:
Is there any additional work we can do in SSH protocol analysis? Corelight's article on SSH Inference was very interesting, though I'm not how well it works in reality. https://corelight.blog/2019/11/19/corelight-ssh-inference-package/
This could extend to other protocols
Updated by Jeff Lucovsky almost 5 years ago
- Related to Task #4097: Suricon 2020 brainstorm added
Updated by Victor Julien almost 5 years ago
- Subject changed from Research: Support for additional protocol analysis to Research: SSH Support for additional protocol analysis
- Assignee set to Community Ticket
- Target version set to TBD
I think we first need a description of what is missing and could be added to our SSH parser and/or detection.
Updated by Victor Julien over 1 year ago
- Related to Feature #7103: ssh: extra fields and keywords added
Updated by Victor Julien 26 days ago
Might be interesting to explore @Pierre Chifflier https://github.com/rusticata/ssh-parser work for this.
Updated by Jamie Lavigne 17 days ago
I don't think this is covered by hassh, as I understand this task is intended to cover inference of additional information that is not directly visible. There is real security value in derived data like auth success/failure, number of auth attempts, auth method (password/keys) and the like based on metadata analysis of packet size & timing. The corelight article above has other examples.
Searchable keyword: protolog