Feature #7103
open
ssh: extra fields and keywords
Added by Peter Manev over 1 year ago.
Updated 3 months ago.
Description
Consider adding more ssh protocol fields (to the existing ssh protocol logging) and ssh keywords (to the rules for matching) to be able to match on such cases as described in the blog here:
https://corelight.com/blog/newsroom/news/zeek-metadata-ssh-terrapin
Mainly:
- Message authentication
- Encryption
- Key Exchange
- Compression
This is good both for detection and audit of networks traffic
- Subject changed from ssh extra fields and keywords to ssh: extra fields and keywords
- Related to Feature #4148: Research: SSH Support for additional protocol analysis added
- Status changed from New to Feedback
More info is needed what is required, is it the textual representation of the individual fields?
Searchable keyword: protolog
Much of the SSH handshake data (cipher, mac, compression, kex) algorithms for client & server is already supported and output by enabling hassh. The remaining bits that are not covered by HASSH as far as I can tell are the hostkey and hostkey algorithm. Maybe this ticket could be scoped to cover those.
Also available in: Atom
PDF