Project

General

Profile

Actions
Copy link

Feature #7103

open

ssh: extra fields and keywords

Added by Peter Manev over 1 year ago. Updated 15 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Consider adding more ssh protocol fields (to the existing ssh protocol logging) and ssh keywords (to the rules for matching) to be able to match on such cases as described in the blog here:
https://corelight.com/blog/newsroom/news/zeek-metadata-ssh-terrapin

Mainly:
  • Message authentication
  • Encryption
  • Key Exchange
  • Compression

This is good both for detection and audit of networks traffic

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #4148: Research: SSH Support for additional protocol analysisNewCommunity TicketActions
Related to Suricata - Feature #5734: ssh: add frame supportClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Victor Julien over 1 year ago

  • Subject changed from ssh extra fields and keywords to ssh: extra fields and keywords
Actions
Copy link
 #2

Updated by Victor Julien over 1 year ago

  • Related to Feature #4148: Research: SSH Support for additional protocol analysis added
Actions
Copy link
 #3

Updated by Victor Julien over 1 year ago

Actions
Copy link
 #4

Updated by Lukas Sismis over 1 year ago

  • Status changed from New to Feedback

More info is needed what is required, is it the textual representation of the individual fields?

Actions
Copy link
 #5

Updated by Jamie Lavigne 3 months ago

Searchable keyword: protolog

Actions
Copy link
 #6

Updated by Jamie Lavigne 15 days ago

Much of the SSH handshake data (cipher, mac, compression, kex) algorithms for client & server is already supported and output by enabling hassh. The remaining bits that are not covered by HASSH as far as I can tell are the hostkey and hostkey algorithm. Maybe this ticket could be scoped to cover those.

Actions
Copy link

Also available in: Atom PDF