Project

General

Profile

Actions
Copy link

Feature #7103

open

ssh: extra fields and keywords

Added by Peter Manev 3 months ago. Updated 3 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Consider adding more ssh protocol fields (to the existing ssh protocol logging) and ssh keywords (to the rules for matching) to be able to match on such cases as described in the blog here:
https://corelight.com/blog/newsroom/news/zeek-metadata-ssh-terrapin

Mainly:
  • Message authentication
  • Encryption
  • Key Exchange
  • Compression

This is good both for detection and audit of networks traffic

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #4148: Research: SSH Support for additional protocol analysisNewCommunity TicketActions
Related to Suricata - Feature #5734: ssh: add frame supportClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Victor Julien 3 months ago

  • Subject changed from ssh extra fields and keywords to ssh: extra fields and keywords
Actions
Copy link
 #2

Updated by Victor Julien 3 months ago

  • Related to Feature #4148: Research: SSH Support for additional protocol analysis added
Actions
Copy link
 #3

Updated by Victor Julien 3 months ago

Actions
Copy link
 #4

Updated by Lukas Sismis 3 months ago

  • Status changed from New to Feedback

More info is needed what is required, is it the textual representation of the individual fields?

Actions
Copy link

Also available in: Atom PDF