Feature #7103
openssh: extra fields and keywords
Description
Consider adding more ssh protocol fields (to the existing ssh protocol logging) and ssh keywords (to the rules for matching) to be able to match on such cases as described in the blog here:
https://corelight.com/blog/newsroom/news/zeek-metadata-ssh-terrapin
- Message authentication
- Encryption
- Key Exchange
- Compression
This is good both for detection and audit of networks traffic
VJ Updated by Victor Julien almost 2 years ago
- Subject changed from ssh extra fields and keywords to ssh: extra fields and keywords
VJ Updated by Victor Julien almost 2 years ago
- Related to Feature #4148: Research: SSH Support for additional protocol analysis added
VJ Updated by Victor Julien almost 2 years ago
- Related to Feature #5734: ssh: add frame support added
LS Updated by Lukas Sismis almost 2 years ago
- Status changed from New to Feedback
More info is needed what is required, is it the textual representation of the individual fields?
JL Updated by Jamie Lavigne 8 months ago
Searchable keyword: protolog
JL Updated by Jamie Lavigne 6 months ago
Much of the SSH handshake data (cipher, mac, compression, kex) algorithms for client & server is already supported and output by enabling hassh. The remaining bits that are not covered by HASSH as far as I can tell are the hostkey and hostkey algorithm. Maybe this ticket could be scoped to cover those.