From 30da2f83d0928f42f8ab505385539e4c2132933b Mon Sep 17 00:00:00 2001
From: Jon Siwek <jsiwek@corelight.com>
Date: Tue, 3 Sep 2019 17:34:24 -0700
Subject: [PATCH] GH-566: fix cases where ssh_encrypted_packet event wasn't
 raised

When encrypted data was bundled within the same segment as the NewKeys
message, it wasn't not reported via a ssh_encrypted_package event as
it should have been.
---
 src/analyzer/protocol/ssh/SSH.cc              |  43 ++++++++++++----
 src/analyzer/protocol/ssh/SSH.h               |   2 +
 src/analyzer/protocol/ssh/ssh-protocol.pac    |  27 +++++++++-
 .../client.out                                |  18 +++++++
 .../server.out                                |  46 ++++++++++++++++++
 ...ient_sends_first_enc_pkt_with_newkeys.pcap | Bin 0 -> 8803 bytes
 ...rver_sends_first_enc_pkt_with_newkeys.pcap | Bin 0 -> 13838 bytes
 .../ssh_segmented_encryption_transition.zeek  |  21 ++++++++
 8 files changed, 147 insertions(+), 10 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/client.out
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/server.out
 create mode 100644 testing/btest/Traces/ssh/ssh_client_sends_first_enc_pkt_with_newkeys.pcap
 create mode 100644 testing/btest/Traces/ssh/ssh_server_sends_first_enc_pkt_with_newkeys.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssh/ssh_segmented_encryption_transition.zeek

diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc
index be4a8e6e2c..6f468fe441 100644
--- a/src/analyzer/protocol/ssh/SSH.cc
+++ b/src/analyzer/protocol/ssh/SSH.cc
@@ -18,6 +18,7 @@ SSH_Analyzer::SSH_Analyzer(Connection* c)
 	had_gap = false;
 	auth_decision_made = false;
 	skipped_banner = false;
+	saw_encrypted_client_data = false;
 	service_accept_size = 0;
 	userauth_failure_size = 0;
 	}
@@ -56,16 +57,12 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 
 	if ( interp->get_state(orig) == binpac::SSH::ENCRYPTED )
 		{
-		if ( ssh_encrypted_packet )
-			BifEvent::generate_ssh_encrypted_packet(interp->bro_analyzer(), interp->bro_analyzer()->Conn(),
-				orig, len);
-
-		if ( ! auth_decision_made )
-			ProcessEncrypted(len, orig);
-
+		ProcessEncryptedSegment(len, orig);
 		return;
 		}
 
+	interp->clear_encrypted_byte_count_in_current_segment();
+
 	try
 		{
 		interp->NewData(orig, data, data + len);
@@ -74,6 +71,14 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		{
 		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
 		}
+
+	auto encrypted_len = interp->get_encrypted_bytes_in_current_segment();
+
+	if ( encrypted_len > 0 )
+		// We must have transitioned into the encrypted state during this
+		// delivery, but also had some portion of the segment be comprised
+		// of encrypted data, so process the encrypted segment length.
+		ProcessEncryptedSegment(encrypted_len, orig);
 	}
 
 void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
@@ -83,11 +88,31 @@ void SSH_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	interp->NewGap(orig, len);
 	}
 
+void SSH_Analyzer::ProcessEncryptedSegment(int len, bool orig)
+	{
+	if ( ssh_encrypted_packet )
+		BifEvent::generate_ssh_encrypted_packet(interp->bro_analyzer(),
+		                                        interp->bro_analyzer()->Conn(),
+		                                        orig, len);
+
+	if ( ! auth_decision_made )
+		ProcessEncrypted(len, orig);
+	}
+
 void SSH_Analyzer::ProcessEncrypted(int len, bool orig)
 	{
-	// We're interested in messages from the server for SSH2
-	if ( ! orig && (interp->get_version() == binpac::SSH::SSH2) )
+	if ( interp->get_version() != binpac::SSH::SSH2 )
+		return;
+
+	if ( orig )
+		saw_encrypted_client_data = true;
+	else
 		{
+		// If the client hasn't sent any encrypted data yet, but the
+		// server is, just ignore it until seeing encrypted client data.
+		if ( ! saw_encrypted_client_data )
+			return;
+
 		// The first thing we see and want to know is the length of
 		// SSH_MSG_SERVICE_REQUEST, which has a fixed (decrypted) size
 		// of 24 bytes (17 for content pad-aligned to 8-byte
diff --git a/src/analyzer/protocol/ssh/SSH.h b/src/analyzer/protocol/ssh/SSH.h
index 236fa70a8b..5d7195ca5c 100644
--- a/src/analyzer/protocol/ssh/SSH.h
+++ b/src/analyzer/protocol/ssh/SSH.h
@@ -31,12 +31,14 @@ namespace analyzer {
 			binpac::SSH::SSH_Conn* interp;
 
 			void ProcessEncrypted(int len, bool orig);
+			void ProcessEncryptedSegment(int len, bool orig);
 
 			bool had_gap;
 
 			// Packet analysis stuff
 			bool auth_decision_made;
 			bool skipped_banner;
+			bool saw_encrypted_client_data;
 
 			int service_accept_size;
 			int userauth_failure_size;
diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index b0caebc740..b35fa9b655 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -9,9 +9,15 @@
 #  - Encrypted messages have no usable data, so we'll just ignore them as best we can.
 #  - Finally, key exchange messages have a common format.
 
+type EncryptedByte(is_orig: bool) = record {
+	encrypted : bytestring &length=1 &transient;
+} &let {
+proc: bool = $context.connection.inc_encrypted_byte_count_in_current_segment();
+};
+
 type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of {
 	VERSION_EXCHANGE -> version   : SSH_Version(is_orig);
-	ENCRYPTED        -> encrypted : bytestring &length=1 &transient;
+	ENCRYPTED        -> encrypted : EncryptedByte(is_orig);
 	default          -> kex       : SSH_Key_Exchange(is_orig);
 } &byteorder=bigendian;
 
@@ -265,6 +271,7 @@ refine connection SSH_Conn += {
 		int state_up_;
 		int state_down_;
 		int version_;
+		int encrypted_bytes_in_current_segment_;
 
 		bool kex_orig_;
 		bool kex_seen_;
@@ -276,6 +283,7 @@ refine connection SSH_Conn += {
 		state_up_   = VERSION_EXCHANGE;
 		state_down_ = VERSION_EXCHANGE;
 		version_    = UNK;
+		encrypted_bytes_in_current_segment_ = 0;
 
 		kex_seen_ = false;
 		kex_orig_ = false;
@@ -288,6 +296,23 @@ refine connection SSH_Conn += {
 		kex_algs_cache_.free();
 	%}
 
+	function clear_encrypted_byte_count_in_current_segment() : bool
+		%{
+		encrypted_bytes_in_current_segment_ = 0;
+		return true;
+		%}
+
+	function inc_encrypted_byte_count_in_current_segment() : bool
+		%{
+		++encrypted_bytes_in_current_segment_;
+		return true;
+		%}
+
+	function get_encrypted_bytes_in_current_segment() : int
+		%{
+		return encrypted_bytes_in_current_segment_;
+		%}
+
 	function get_state(is_orig: bool) : int
 		%{
 		if ( is_orig )
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/client.out b/testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/client.out
new file mode 100644
index 0000000000..a63128853a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/client.out
@@ -0,0 +1,18 @@
+0, T, 64
+1, F, 64
+2, T, 80
+3, F, 80
+4, T, 272
+5, F, 48
+6, T, 80
+7, F, 528
+8, F, 64
+9, T, 176
+10, F, 160
+11, F, 736
+12, F, 96
+13, T, 64
+14, F, 64
+15, F, 64
+16, F, 48
+17, F, 128
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/server.out b/testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/server.out
new file mode 100644
index 0000000000..4cc3555cc0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.ssh_segmented_encryption_transition/server.out
@@ -0,0 +1,46 @@
+0, F, 172
+1, T, 44
+2, F, 44
+3, T, 68
+4, F, 52
+5, T, 148
+6, F, 28
+7, T, 112
+8, F, 500
+9, F, 44
+10, T, 460
+11, F, 108
+12, F, 100
+13, F, 36
+14, F, 36
+15, F, 76
+16, F, 36
+17, F, 84
+18, F, 36
+19, F, 84
+20, F, 36
+21, F, 36
+22, F, 36
+23, F, 92
+24, F, 36
+25, F, 108
+26, F, 36
+27, F, 68
+28, F, 36
+29, F, 36
+30, F, 68
+31, F, 36
+32, F, 68
+33, F, 36
+34, F, 36
+35, F, 68
+36, F, 36
+37, F, 92
+38, F, 36
+39, F, 100
+40, T, 36
+41, F, 44
+42, F, 36
+43, F, 140
+44, T, 36
+45, T, 60
diff --git a/testing/btest/Traces/ssh/ssh_client_sends_first_enc_pkt_with_newkeys.pcap b/testing/btest/Traces/ssh/ssh_client_sends_first_enc_pkt_with_newkeys.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4bbf12d87abed6c0e91e8458ea8e5446a949f363
GIT binary patch
literal 8803
zcmds6c|26#`@aUmj4g#Mg~(FPVC+;F%2rw1RF*Nu7K33dA+qLENsEdsl_HdEX_qZ!
z$)1vkL=mBo^uhPsDW5*ZG_T)(zwhgNUmkPrIrqNL^E~h8yzjX)ZIy+W5fB^n`(T4u
zz{%C4WZTw$Hb@_|VYAu^EmuQuLUQxo=A6)01f+`h)`P;45QK&hd}Y_QSVs*YA-vKJ
zM;Ix*LK0%{g&+hQdoc?uD<=yJ8v;fg_{aur0^_j##9F}J3PBij5d`TW-R)sC7!?v4
zHDK4NW&x-~hvoD0Lkd3;e|jf0$Ofqc9M~36et8E$@^~MH-Vp&F!eZIX82gK#D02`y
zWDgKvTjG%=x|rsX7M({3*dq(!`T5S%5M*s_j8#@p!kT-N$e?Ynp`h-KlicM<CHqma
zs#Myil7b2k8cx7UDR#&Tc9@aVTkw=WI=#U{c;+el`0wc~s5^Js*jtf2NCaP!y^?~4
z^3NFrrP=?SVtMp!T0jK4fHr`D!Yr1}&$DC!$7l!at(qJ=L<Y418+~%v9MB~&ma{xV
zERdW%lQ0mQDpCM1)4$1bqwuAq;v(C#yFP>9Sr9}j#h;|CriRnP`nnR7)zmRddh|Tp
z9DRLV6}%`e7!uLRm3ASP?B?s|4PQ^!rJ|`y-=(IE!#KG)JG+svt|Si+PXZb1Lh+({
zV@ZKTR|46Ev@kWJi*V}js2Wb0Ap}m7>8L7GWZEbWBnJ<|!%}<+7+|zJu<(5UocxM%
zVeFsC;k!sqwB!L04-gCZQ&z%ydwB%mRFu^8yg)6&nIn36VhAK(oU$gC=trS7wUif{
z0DYkeU*JOYq`wcog0B1jVZIksPXZCEu8Jl3E%uPs54%o3;0oUWR}~hH;LoEV*?%0x
zEgAXc#-b!GxUi^m(e#+#XE3)5XE6K!vw;bcy~rfYA+UV^ofi=C9|yqLq61bRXLWX{
z8YmBJ^a9Uz7w^kZE5q1zYJoIQokWvhK(^y-0%Z0|<(Q3VB=s!n6QOTe0Z<>_|1zyv
zBuI=k3-^DK6j(Zxl~ifk1d9ha#VINOlpDq}1}_u17We#1Q(zfgqB-<^zvOn&b+Fzp
zC>s3f<m(Hd9{~mWm)6jljzkQ_&7JH-AbDVkjzm3=AYX!?7e&FtjjG^Fq7y0{tXbd=
zIwgZe4fHZsKNTmEFHPlsHo*0c9$o>?ZooTO5r3b+_!OeE7nK4h?pG6t%l|?E7Z+5A
zCWyZ^=ywaNrT+88(@E{0Ugq+-R3H~-!2z@->PZ^}==1|1zyIa#iT<Nzj3kZuD2VRY
z!J9bG3aeVO2Gjl79Y$N=S|VPlfDhiEO?NNg!B}66*&%1p0UNzSLVNLkj1;nfZ$TlE
z>@+M4QXG6r7VpqrpSx|=<73~Q6=manw-k8o#X=-|4o%d!`y9$7QY=Mfolp0|v+guu
z8o^y!1a^yeg|rBCX%XbnW(EIXEKfUj2npUdV58q*LeuDbFqYd1hFD;SY50|f^^j8n
ze5wHB`j?7<Q_0&e8sD7?SZU*tz;E%0<f8wVq^H;cRKy!8N^v`sv$ht#X3LO($U8wU
zrFG(;`^m1iW3F@7uF9K|;z^cGOxTW}(goL8FNM~dT5;%*zS{%!v0Cf8$i3O5@3Bz|
z9de~FOfrh*O)L0XNgU(PF7lr1ZBG45QCw}tYi?#!?enAtMbXYcaRjdi2Y_5SxY2?O
z&7WDZi)V*oKo@LFcn!o;8S<*ju2ZLCAw2mQDMLd8sBPrn>-=glA9z<rPRogv>Q)^|
z+VCzrpeB2r!u`ko`!3fa$IF}LRz0~FTkPIp_t6u%GD|GvbW;xM=2ioqq7^NgY8{>*
z<z{phkuX;VCz<kopT_%v#az{?fXY1y^ZqS<Ax0Q0D}f#I2OY32;oTMefQBW;5DV}w
z5e`8Yo_&_!#A|J44LlMdQztLY>yP6y?6P+m+Mt_hYaSOGXHXZ?tnguW<1}lP71EmI
z5SQ1`$@ZZ%_+;`YLD5~?VJ}Q~BbmKI`ZLV)Nswn>i)E8x@GE2%K#8(KGGi-<35xJ!
z7|d4HrxKytMg?kb3oyfG51OS3yEbJyOeA=-Yj#zagf?}Jt@RSyC*nCUnp$?>>5}8<
zkH*yvhd5hslBMdF9gz*mGUPoJFAwgy^=w+p)b%D0!CnPhBbmJimeMl3moCG;fUUPM
zTT^ojY{6Jrw!b4>!d4*qF%64@Ar@fk3s|MkU!|IIOI4h^aW3kwPZb$m>))_6R=(RD
zvYs?x?bR1=P{57%6Sq-u)^4;`-+4A3_qXYw@I?F8RQ@Ur%ZFG=tQSvh?KYjbbP+>L
z^H<rpcd%E=(j3g#JH#;WZvlIi3ts@_02Eya2^j+QfsKBxv1sB$n4k#Hj3N6W2-kJ1
zK~7;g%X+@Ji~|jWfqCL#?w7=BdD3dOOeL}>ce~jJXv|*V?t9mNiYH&B`GFtXm+|;w
z?My?p+R#deV`Xe-9@MB7_vVdFcdS@HWWBut$?_`yTvY$8+~+KWMR?Jj&!*8{<pL*L
zlV#IyA<K5}@rjAO+SAyXGx_M?$Q!Ga5=!k*&h5~=ikOh3?XJ>gs&_mC-dqe03K;a(
zHa%dK?wZ?oCghlKdp~h#wCG6W1nT(O-33*w)NbX6&}A-Fo7->SzMI(0qWxU`OjO1G
zTh58W*R;(?_sf_ct8LBE3wj>iv-h)fVz-x<_PwIRr#tSVYwz)|HTE=JKW3q^%dLAj
zOll;%3h%r#CpFT<>FDw*T2@(@R$n=-Vs_D0OeJ2aa1^e-$+U&)gRv4<BL8{HEvde}
z=n5LvT83Dl`a}f4_ZR0QS}D>3BO}Ha16E@$Op!A`N<EK6y-*Jx*isN$pz+05^plvr
z*hsYC^$wfIxf1ZKdZNE;p1v-iKzt~px+ok4)%6v8Q&R@7YVVLIbr_6XqWdGcdXf51
zJzdAuN4yR3)X$F3^^A2BZfw2M?sm7fvdMML>+$`9mB)&<xlMkTO6cN#S(#Fzl-sI`
zmJ)r<HK2kKoSJz&%0q^|ViRMU*GgJ0tm$&`6|Yo8d-hI>|2wbOLQ#+*0#rUQ`n)1E
z(N!>(t3E?4kXHflV6<E2cR?Sk9p=5sY23CrzdhYksm_rg{<3l<Z;KFX>jT5tBxSO#
z2G8MWG)LzltJaN%{Zr*1h&#Go3x5vg5X}@q`SPt>6DKARmn-;Ad1(5Z-f`QbkB6*n
zeBw>0>py>=n)`M)GUc_5MT~y*d5MVZ!<e+7+0Z8609IK!Cy|Z;o4W&)E<_G1`*c}%
zu<Ew}aZ-)jzG<WUX0_7e1mVy|V*Jsr&cL9g5B^e}r;dDYyt*rKt48Sb_FFk0+gA1N
zYLa*<V|Mc{!ftk+Yk0^0LhJH^r<Jn=;$zdE()-ji24T70X2-OTkdqrfy{?xt3p&#L
z^lhH3dqxuO@q~z!4}aaTN4?3OhkUMQ6?b_)zEw@&W8L`VQg7n@L2bUc*xRqOtgo|0
zZ{n1bOVQnqxvZ42dtI7pTE2E+ajr<?MF$DlVQt+q%Bu@Ag1sl@M5b2MN5nKM+qq^K
ze4ozVS2=(2PNCukO*84!`!}Cf?iR>Zk-5k}rk^JCiDP!??Zb(lb0J?(o=WTIak1;<
zv$^Wvzx#yY!Quc*`%1B7o3e2^!VljR`6gdPcYF7Ql&I__WTV(kf$lelY%<?y824yZ
z*VmW{mh*|dPmAD|DeKXD@;POBhOxu)il}Y3yDymqau`ZWC11W>`T5IxgV0yk8a}<(
zjcA}8cPDDKu?W{X`44UhY#&e9Qy_b!Bg^K~aPf+rt6v<2E41@4irJI>39Ul;7gtpS
zE3HC7Rb5Sipv=tjGu=jWueZmF@O5mBkB#6ryY+oQ9*1V*e{HPm`se|g@POM6kyFtZ
zca88;`TW;<-E~?A2bwqYB6x*MD|=xt1jA6wo(+c?t==NAgK99aST^kqKiOdvg>V!!
z0G14FOElmWK8y*9@U%BF8iM*y9?f>SeAFgzB(vu47a#n0qs7D(QeN(}eYoymLPwli
z#Jt_)3+s(&K}@x7`TjJotwpUnOll-WjnTOgy?4L!Y94HBv?s_kiA%)|w3tcSoG=>v
zX1E(+-R8Mw<{Wi)Fw9<}I;C}cpt;elv)B}j=<>eTsRxqpmyh!wHP{s8d*<602UMhe
zT(Ia~&O*;vq!0Ck-&y&T+I-FCFIEPqNZiw|g7d7CmXV$t9)Bs^!bO0i7C3@pwsWYa
zF=#=@paEczrrlo_Y0P943Tg-0gN<Hepl9f(FqYdbhFG8)PMbndai-&D9qE8`qpQEy
z^HwIJ<S5~}QTm*Mt@Wpd4`{{MogNi@|8Ucgs9jQVX8g5rox8Z_Ywf2*cv{C>1k|H0
zeQj}nyV4`>FV3j?@2M{k5-;U&?zeU}X&o0H`qHZ0h|2I!xpt7d#v!frUP2aki(PDF
z9G}UVh|{a)9qUw4SLZ5y>e&t-7U*=|q=GATvX;MLBoGm@dt%c1M0k>TytzIHoUsjw
zC`gDEq8WXZteog)aFi}&x+wc-83R#1<pRk$tanTUckq=o@$8jc2|r~=qoTB7#jk1;
zJrD7=)9W}C+5_7h|B~ow^OmibSADYYm~zXd*Y+NKt#8sNr!M+r%6o6>-J6XMH`-zs
z8Fnu`wCHxAfN-C=&*cJ{p8k$zeu?lE5*=6cz21IDbPT8GA1~Ld`fz$2RqIdQv4(4I
zoM+9P;>59s=TSpK*P;W1oZ45e%#0X}L&@6Awatz$??8tNt>n#V=e>LH!1<_ZkBw6W
zdo1PDpXVjjvphg}vf#x0%9rmKN>Cgk8bln-xtv#jZDm+R=Nir6!eHk&Hh*t3j46KP
zpJy879xEy{?Yxd8&ee;r-F1-Pv7gIyxD6T8Epa%g{CcEQLhv0VOM>%@s|Zaun^^Ol
z!K^iVWYL=F9Y<3-#br&@uj!E8UsA8DDU2*<)9r4<iyA4q_M~fcSUGb_^_b5}N<4p^
zuOeLaWBut18%^AGx=XY!J+KK8UR8QicPxurL_(gsFtBW!%jAv0n~%S3{*irZ{8MJh
ziSD*Z<9uJLxnQZ!+U;W_<7M&pkf^bnb%%qb)nuJIkQ^R}f<vR*ghE5YM8r=|sI<J|
zua&9MwT!m8htb`VX}7P(OrzM<E@{ZflJXWO;wSPX?W*0GgK{|popqKSX2;Scg*P;*
zmF&IlteATL;{jtsKIC;LloDEhrj<HT6XF<|p`UoMdIppGJS;|7VVPufgmrfCrSnza
z@0hva?=1_HNOlhyOugTTu$msp&mZ1WDHFzR73pz)AT|Ab=cUay_4%2bGE$4&VsF%A
zWW7T7_Fu6vapx$x!=Z_o9({0GCS3}dto|c>lSCF?Z*||BCsh1)`<T7r5o=!$9V<)T
zpg3pWSdIN5i&iI9=VZH!NcHh=z@2zs7o_?O6{e$mvSIB9%<ekH=}|5zLh{g*DyuS|
z>2SQiijVKPnwX38Ce1J09nNkztDSO;GUJ_SlY4@<dX;+Kq<uPM{gK?Fk3!wZ=7m>@
z5m+VapwwYoqNeiraE59Mc2v!a_UmlZDCitOfQ^2wK}XRwG({O%yw;k*&Jw5-SZm-n
zLrB=slEwDsn}%>Da^Fa|Nhn0246NSOn|BiT;HAIIk+f@<;!3dkgZHP(I>q?&p4}R%
zXf^9Ma?w!d++4q}9lNiheM7%(Zn5ZLp1<yRwZ*?rzD~^U3t`LKBT8(0<A?NtW9`3#
zW)|y_KgHT24c<)>;OEaxfI=j5{qrnck}+3&Boh?jnFJ*GR)IpklGB@WIGtMCYh@yO
zSO5CVv}$yN{bt=)r1<e;yF3KNQ(|%~XRkhb7Np|Cy=K1J)6C@BjEk|$Q-0g3t8dL=
zFM5F&fBex_9$iO!9&B5j@fK;kQn4bummiq}M9~fy%hKm}L`&FnMc31?&<wEvd%W2Y
z^zO~>^W+`{N_l1C^2_n;8Dj>8b1kU>X3~P*{01XhTdDD}l$+f$aYgs5wTj3kwO(~i
z1IoA8=3S0%c8H0uPK3R%X70svninWKFNm~=fET7AfStH<jL*j%DU{Vu=PukG(D^$~
zslKsvZgo4$8Dr{<ix9Htp)Ox_Q)bwn9Kl+bEvDtWl>}Y7dGvl9I#thKm?R2&;SaoE
zvL2!sv0JRjuG5kMYGm0$jrjR<F?%~|pv59g7fZ%MEV4HMHBZ`J45P?gsi8!>jhXLE
z&j}eu#g{yJ&(q{ChCaVlqOHY!eNXr|BaXifyVNJ&<<oozvzCBcVOzrEb#x;<tJ_n$
zSz8xotrLNuu5(Iv+8jqd&pwuPd7jEyxB3p)eoPjH1VtKXnkp7wv5;%(u6pkwo6kYj
zJt!`^mlZn^aDI8ArZoC&<gFYX9QoBc?W3PA@{Ekdj7_+#s4ejKCJ5)e%P8}{X-ziQ
z{t$iRhLY=Ks;ibNVSoCo8^ex+`W#Y|V>2D+47S?dj-gd{7Knlg1JQqCpw-%9*>{Hp
z1|9`6MTud8!v7n^HHhgdYohUJxHzM&)*z!w@G2VyHT&~`*+C>R#cHNuZDokX53s;0
X{Eejxu$bg1mSJ>C>^iMG7jpC;tE?%P

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/ssh/ssh_server_sends_first_enc_pkt_with_newkeys.pcap b/testing/btest/Traces/ssh/ssh_server_sends_first_enc_pkt_with_newkeys.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9fbad53f0828ae4cce01ee6f865d8053cc3ae4d0
GIT binary patch
literal 13838
zcmeHOc{o+;zhCB%F*6ma-9(0v3`J2gG>K4V+dRu$L?UB@F(T4HLZX43RHinPgp>v$
zQ-nw;y6?MK+qMt;`Q1P6bD!rv_kGTL&bIgRnZDokUCZJ$mEX&tMre`wMT<~@FC=5^
zj0YajAe!Jc+@xz6qK+U+xLg%Pg`S5c5J9Nmj#of<6bKg$;F0Onw{Oo#A_z6@-?y~X
z%a{T-9Yf!zqM>1c$m0}|5d<PDm0-vSPrO35W&l4xH%#aJH!?)WkdcQp$S$A&ZqkKn
zmciwrnz=CKIn9OuUEnl3mHx~IV1#N`FGPh}_tnrK4gd;n(uE=#6NVt7dp3qRr&R!I
zJ<SIY4-pZKA)>CXhPd<=N$~@&cxUk1blVm=S1DmV3s2`0p5ii|=zk@*Y-M4B)FyzM
zf|-2O%nFQ}#LR9oGmzRCBJQrGWCnK^B69aFiui9c#{Vrd`vCRQW(dP*j;}H5xg2+c
z9D|oKqf<wNT%tqJO<ozg5L^L7WPgSs&czc9YP}m)hQ@b6WsDJoPMePF_yru3@ZVVZ
z&?xH;OZhEg;223uPj@f8w5+Vuc5x3|b7@&Qv46dz;%H~#;bFVQ#oa~>Z)s(V9w_c?
z=W)Un9#8hxR(Tonw`8TI#H{SBt?lsQws=QJCv#_U8+R8^S8=?LrLDQM4IZOj>>w#Q
z_^GUv^r8?_@{~SZK(M$5DH)37=%-R*c%KvEcFxu=;+7yYQQ+9a9Q`(83gVV{_Y>k?
zl2R%zp!s21mM%^(hXn_MZ2q$YL1O>efpY~QXZaU1ECEm@j<=ev^`dg&0qy{5$q(ng
zTMQlqyG0z9h4=;3G6w-V))ABz{39(X?&{*`E45Wpc0n}ecn>LQd2!1V?qcxec4_P-
zK*3(Z18gjv$iELBLH73l0$;PIlewk1oQydB#6pGW`%pUh2e$AV(Ac1Zr9TCsF8Qg{
zzdo6hu^=Q&!h$y!(2LD~1#5_XB?W@~KWj|D*~J+z<_D(Pf?VJmz&7Pi!2zTTUT$>3
zgr+d_N6?wyfKBN6nV-;jnw?IM<Z4X3fL(u0gZP2l6}U+kyc*Lw5`I8L=fp)3`RMeh
z&51ML6kZY$gjR;0t1<R*tBFaLljfkI@$SETJ>VGXe@*!ROEdpJ8t5Qh)wxkMKfnGp
z%*e+#HsI#QAOQLQA-D7x`~M+FybmCb*Z=wH&AsT51FgE`2c(k*zJ{|cw}l3A2e08K
zUFgpRR=9g`5^=X<lW6wtGodkCGuR*8ecH@`pNHmt(l7&)$P^%m(XRsk7FN&MEjap(
z*+bomv$S%*q|8(EcP7v20~I-(&M2?w6P^1p1S;Shph4)V5p<I)pqe0zLIrM2n1b2q
z8tkt?NTfauX5rrfq5^B6zzlpv%eWfg*n+)ck@Fh7y$rjf1+P_UKil5B7h88`#)p4%
zTSnDw;X@Lu#Bta9HLj<1L|H117uvG?4S8*E)N)2!Do9@-Hh(av>Co!XnVHUg`Btko
zj<Ns{VKYhRhDT?GRWF71^`?vN<QG}b!EAR>pt+f^OW4ben+6<%2YU%U@F!CdWIFj%
zNx{9VXFmAxb<naXoDYBD=5jpJUph?S)=$19*^lT!_uC45FZHBq71xVv#PK|d(o5@8
zx>C#-s}^V8@l;pb8yrMj%bB=|uMzqQvnj&K#L(*#`De>{=*&A4>(iaq=I5S%Ain(+
ztLSEH#Ui7S?R%oSrlq|qW(1_qZdI5uY@k+mZ}HLpaG(E*o#Lyy8|KAr5mnvhEk=_6
zJbNF|TCX@VzR~roe!%g2Sv!<(MNazUgoOT#uk^Y{yHlPj<l)d|r@<_%box~F2eb`b
zV-^8bQA%<{CN4CMd^X?9H5($gwGT0IstH8q5c(Tjz8+HEx$JLuaLPFBic3_q$YCHK
zZqkMJr5dgf?aRMdSIqWhB6YTA$WG9gJ~Q&fu5bWdVGR%#qyZWDuh3Gus*gbi_m>#M
zY~O|K1bxRzc2$oB3=R-+9YAyjRB)3nRI?eb2-VzyA<k*$Bx*iF)C>`0XUZRNoH#Ie
zGLY`(Kdr`b_hKA>s7xj#G_b7uCe+~{obgAgm3Gq3RmjAcKNqrZq3q`;>ZcB4C-Jjm
z5kIjI(VU_m!Z?a}bx}lcX3miLnL4}gPSUHwNLkN{of>I3FPB(KuU3f4-Z3_#$!J;T
z-~Bl*ReZPLRilK5GeM9&8nB0g7~v*eXqrB_`)Ha3jD0T69Ux5yv;!O$rdgmY>=b*l
zc+JbwTc3`Y3JR8fqZ!D)N-uOY{I3$>d*7|Se{TfUs$^e3Ezz*QB#zHF?RE5djr8}D
z0@=KSJ{JeGTvKG!pemW`w1^jw12^eHRoN1Lp_wFLs^(I509_Ldr`61HqN;dUW4fyh
zIUAqsViT~FGfqzVsGcCM5#duV^GEQzIY)wOSyP{SLSv%}ZL*%h!;3+I%E4;}cJM$I
zVteT*^e*lJRKc?xQ!$qfcxDiC6+DITA-N-c0#w9H1H?@Sn2{D>2yW7a`g(zTh^Fnm
zC?Y)HN-<w}0f?CN>1f|!l?P|>vJVqkwtDf@X4IdlOTO~+MN=eAY?n*JN44a_J$KC#
zF6egFXywJ2$=>7jLn4BWht9M1(X*eoikR-)^0~6@TK$z5EXAFJ?#nsa)@dMrD}49U
z7$zzT9N2!t?a{F8K(Dh(^6{fWm2a$79x%T;y#fC+g*HJlXYgr9LF=S{aQ&oBG~MKm
zKenQTdtL<S($$3-F#-1ACS9n@gM<mRdbya(x$0e2ASCgC>e<hz5nYM~Y{CodRygCS
zc=>tFRUblHY%`s}KgxCaTOR5*1)kg_0@+Riwxxe=z&%2%M7*-iRw;=GRO#`;D&ZlU
zC`7CUi1&bSxJehP|2nQ1t<q&o{{lo<rKAP=MYXj*`W3J;e45x;jPJQBb!$UxYs_lH
zLXVCPoI~+;rC#=()*4K9zasZ}aLGu<J?9|U)h}l>JePz&&E$CB%B0cbfaRc4U;W_=
zHmWgxAJ+CQtKxHyP5T`%Llfwop^dZP=Q8?h{+FjyNIQ(V^~>eU(7`vh<rFd@OrjNd
zfjO9~z++H>P%x$J=Q|g#1vA+S5StDnh#a_ofSYu|OsF>yrXZs0n?(^pO_7yYCe~6A
zk!h=n61zZ7a<u8x-6vZToMpV;7M&Os<vsUvWD~x)UlwQPXyg6h=uni7?VY%X64I(=
z)VaTE+b<mx*nFe*)cy76j`!`^fHUg~tj9HFU(3J9qpE3Pex5d^Nxu5`D&BQ3UGI3V
zBzO+X-)6r$LG^}8bEtur+X{Jiwu?P#qZiG(JJs>M<J$<Ew#Y=v&m3-zS(cstgyywL
zt8-l4kKcPw=pPXrS8PAf_|Agel&!A34Y?7yF~E9xO4Le|-n?mnZpNZwX5XH-t*+uP
z^J{2}m#vQ%kxA-tGd8dIrWG&7W$Rme$KEoGQSX<BQjxZgVCnj{28pCb^A{T2a#eJr
zo9#QI+-mb5YaG1KX}msh)IdJE;@gE(3Gw3M>S<A_FT){SO=|>&)h}2)_t#L<<rMW3
zI?JW5m0dFSVdrq9L4iS*qivnn53Zvb<Jt8Iy$N~TY{^aASKh1pmQ^A*u;Y_-KC?hp
zc|~&VuZrTqRhhS5M)=zBsU9^}Nb}|#J8KkIx6kLx?Hvr(a-4a5Lx|Kx4;Hr`HA(hU
zYc(el72C{toAe@>gR40-Wjr_^L}hNP=hZ0Des;sp?)5Q|EQM{=DYmWWSF84W9Tf<a
zY1nSZzU|AN-pZT=gF_7J!z((fH+DUcsVGtXb;iX&J7-+FLyYtD`?^Cd>5c}li*Tc}
zPut=7O1jW9O9oeho~z5SE}A>DLbEkP^TD}#ZoV(Aj|FV9mV$^10CDNN0m5&z(~~j8
z*-j75M>`$P8sgOxMLhOxm0ONqTx^MgeywmsC`)g{NL`Q}Lz%7puE+InJI}Cn8(cS)
zc=tZ|%KD=`kbMtjKaWvA3>Z6!pSDH(9D|560Ff1(V{nr$kPtgHf-8lHT$>g}<fA(G
zcZ_(R!Gw-cN1IG>NEAI=ZeqG3!b54faJFIGDS45KYWh=ba`{;|-aT4vmwE`NZ8B(3
z?Ngb@eC%o1F{@>GkzSt)wP!z)liuTx?HO(vkR)u4cMk7nagSAIHqP#9&sZi(NOL;c
zZ8X?_Ia4&<zWVHi6Rqu2L&NQ7O=(;Anm?PAbq?5aG2mHKLsI>dPwC+v2l?z@9rBV~
zv&rxiLz#<#@?EL6VU;azs~&nBZ!2i9ZMDl?o@;jMtq7f5t^4{RKKFxl3Zh0|-Og?b
ze#Rx^v^A_WI7WUYOSu%+t=GRSs?G@RyJV*zB>O=4!#(rbnr_}hGY!cZk9Mde>3P}}
zx#@h@>AA~hD(~60e~L$tE3}~GmgIDyh)sGFU;ZbnP!;WUga;;mMrAX{TBgtUv#e&y
zd1{d=ynIa{OTj_6u1x)(X)2RG(P^1y*YD#Dt~TC$@ci(K)8z?1iShzMnbVEC%lNto
zDW%FvbR~`Ax;e&lViV5sOlJ)3WJHwn-c3jAY5JBkyI=4wPqNrqm@sPe(BTrx=BZ^x
z^{l;IGi#DA{_#w$=h9cvpV}5PRA0{K^lGL%^W?2ik&mACYB9=!7gw(-P|N!vrF15F
zB+aa--0)X&_GIx$BkT?)P+xfNEPnnF{-E7niFL<Zx3?(}k`IHq9!Pfnp#8RW5<&6+
zBHW}4_8XE;m_`vb7DeO(h;hVzI}ZEpM_%LAT3>&y!p{j0Oe1&a9xt>vVcefHzN4tO
znC7)=3Y(2qM$6YPDwn6z?g-p#ar4s%#A|m}@~wUTgzI^l00X1j>Eg@ho^Rk;{`tk`
z4{hQ07E(G&bl1eK!i>*->dXpC>P!6nDEk}2s!?+i=3zL6AUA<*xJehPK8Y}csz0z$
zeb`<!52!whs2)5sv_6*YnR{0~Bv)~NzFYPECbeg~+L#hTwj}&`xb}^rZR#C^+><Y3
zb1rfye?RLV#Cncxdz8=^EAJlUz4M>UyPcJ*)+$E`ACWoDrPJlb_tB+4{bX~vT(jC~
z`r5JdioEmMe7l};W!6B|?m+btRb)qGaQ{Hn+&?kZvr{AaaJFVx4%yUzs*giNmEQ<r
z4FZ6hbfGyI5dNY$#9)ZCeG!&J%t3oW4#tMRE|$Cs>J~ByOn+sz_U5j%X~(yb<?<ao
zvITh_3{N%N);o<r)@u}5YY>z*nvC_;Qmk2iE>$6Z<E3B1e9aYk>v`8+H{xU7;p?ET
zZbY;4TF)-WLyQ)XwGgmUNbd=n-WbM8lHTYd=@~;rhCc`r17d@lbfM{;uAxGGSYe2B
z>5US7oLHFNhg8$mHbQZF4UP>NQCa6y2G`}j+uY0WhUb8+1WVqQw^A<tns0ozW!%1f
z+4}mX-i<N89dz8ZM4mn=knzjBrsfs=up^6?ugf`rZ@Ds57X;KTUE3OJR9)mkb?3lO
z(BPbhJx*5J_xUt^Ru#$yg_4cRQ;#@)J<txbdQ8Cm-pLzWR>S4LR^UZN24uYiSSh4j
zhNe7<vCgM_&T^@gy8vPWh!<|sg{FM2h6eRvgdxtRe9n^S<K)7Wse7Xfhf?+xG;KNh
zYb3+zhr*LHn+{JU<#OBUwH@8x?{N1~lhd}kgrwWk6LmT^+FnOQ4pT=oD?d(TcxqbY
z=pf?HxktX$=GvE@h@$}xvV~fjp7%FE-^ZpYrcH~g3@20hkf@R@ZMIa&_ch+~8vMa}
zhKC;BOsHb&-W|uwd1;iLgY`(ZvZug@6{?Wc39wQ~`zf0C4~&&0ZSwmFI1$jE{s<5$
zq)mtVFu)M!(w@Ciz^)-nJ8i?kpho+TZkCySX_ZNrdcLk}%bF-2^|3d?kGVPLO~e=y
z=(-<Oy^^l`Ev;H^k*IcA*S@H+J9KE{g<bn~&71aKIwjXuWb23X&HTpmL#XI()&^_n
zTXBYB+VrT(u!SnaB^F8B1p4+9cK!V&_-SRRqDCs=i|Wv3Zq9a<#+#o_zi_i&`593+
zNT03+S+xKwg|wfcX^&v6^J$0clJz#q3K5Gb`(QwQgkp%ZX@~1B;lt!Xyz-R}@7Duw
z$`xEjl4TjMda6|A{}gT4-#0O8{CV=`(N%{ZLsp)@6w_OVvYsVl^<Ij#tMDLON$2+P
zJL)3(r4R2dJ0Qp6BPn}Bzkm61Pc|2i#M^>>5s(!JSSh6U98GT+V<ky1Ws&quAmU|!
zm<C1y+@uSg3>Rt`Q6JhE;#_(uL?0o<$pGtNl4RBDw6(MD(sP2A@y~;NJy#iL8gNSC
zdn492JYK&s^rCe}aNP#o&bo1l+ljZ$x!*X6>Y1mo<J$|O^DT_3N~-Qx1RaQFOxYmx
zNo$9zJpITc52r9+f`~-(%KBocb{F`YCkpeJ2~~TBOzkhC+W85As<rV-XibvLH~jLZ
z(|PMm+glB@ybHY&!Lt4}suQYq@pnUcd)Gl$JYc1edO4c<5XL&6dW7Iosh0r6rSJS|
zm{A`J7~*W|5rRY?^LKuz51pP*-2>~a?*G&M>c9mZ8*?cqZ&A$we||CbL+eU)S6wr*
zkTbe9snedfdH1=u$?1OUuNV2eINDI5)*l%9xrcu{^VO$^XQmDwZobxOCHza*n@QGm
zf6I@pVcG+)>eKtiE)#6B!kvb9C&*8p>VkQ&Q&FtKa#Vc~nffrIda^3)OOSDkvyx31
zN5&Kx!wp9c+{twKojTm_N&Qvh+5L7?53^f6kW~b*Qm8@&T7~ZzD@hf|@7&PLAYuVP
z3<XUOH|auq-=~HJ^<jn~&Q)Rl&dqUQ@8d->ZqWCt-}y8u%g$1mxZkv0E$D6Dre|CC
z2V^wxuP&Ybh;TPu7q5RRncSQ(%;sjiPJLBgw`j4yiFxj*O$jT#pY?L6ikX^Xx~!<G
zKr&TBi=+#Fb8c;N3tydhcA9F<<i$36*|P>|a`|WWgv8b<yM3`!V+(uI&n+b$0$GIs
zD}{6`(R2qf*7<ZJSCI8M$_f#kDEnYTeFR{Lv*|{zSi*;CuAB3aht34Y#I>@QS?RP2
z1N&ap6`Tq<>3w0H602aDpH_am4rHwYtQ2a>j<On)v2G)>&es(BFpUzZ@UHy*NhP!W
z4Vwe)_cZp9M<SzP6E$75Q!DP*9I~tG$qgD__w2XTiFyk;(I3|}I=mcS4^@i1SNMwj
z5qtO*ky>8`RgF_lw+c;n08>ShuKyzGnnFY?8j4-Qf%-g&A<m`iPxLu|4x&C8f>|A$
zcW<U*=)4lxDejtkk*eicP>_J0i*4BLL`K^ig$WJXkhKi3Qb?B*Wj#j53Z5>{-4Bzc
zd+5>l%G(l$&6<TAeoR&x9Pw62O53pYgn*(va<J~w+l_gCe@;bpS*brh5MI9V%A35Z
z(Pd?~uld$ir{1i5uXD;O^%B(^sHy>|qR_k5Xu97pRV3+lE|u;oT8ineKz;gQh;!+7
z5`B`TD<nh+iZFg-Hk{vPm1#62r7V`>@F(IbGp}IYp`t-AcK73K=b(=w%B)-{tM5YA
zD2An2*_)qar@TM0Zp^SM-!<YnedWlncHa{GwLuy&WxYodX~wPJx*=;7V5N}W3pBlc
zjCDS}sLe~I$4^JGOSn-VWcR;On~6Tiy2Qjbx>IStrK|Ta_b-EfW{&Dx{wwRH4+@0k
zeJGIrlB{^iTKw**PXPlCPfxLm6&SzZYoaOGlq2So#Ph48Z?8*cOY+vQ(5DMfWevtW
z+@uSg_69XPs4C*`e`aeM<w8_NR@0#`M~}Nl?>!_qSgOVHHS@X5sm`aa-(S2@C;W^I
z3H$B%!uE_iWDNwY6w)Q2>5}~+FMQq*6}wcr0|1f29UCv|V+U5RIUlh^AM<x?;O`l%
zO?i{IU+)W#x_r@Eyl=R=slB~C53liZm4N}fkVb+sW1Gp;?GG{O(axR$2NF!<;&rb2
z*9e7gTIT*IzN>1}>ht+H+mV3HZ#l|$yDF{|q77h9)z28yWEJTd-@qRY{cF%uOq~x^
z>q(||v8x%XR(oH@Z==jFT^@-)`MYYvpP9F$24{pit2O<s)62BTf09V>`T$uC04s&m
zYtYntG1mE>jwZjFK~^(}=+{I=;b~V5Kk7pUL!3=Ldj4t_MZ8ytgNVrB`{puzey+&%
zfopK=H%1Nq${uxVw~bjTlbNQuJ5*~8*L}}phDRE5`CD3&_Pn<EN2W;0Q14*4MqAR|
zDSd~ssUEfPoxF8y^mTk;&2);TH&%+=KiFLHLA82|tcY6aC+*4pgHUy^Ej6VaYSA2e
zFx4bEc$0Ns2~Zs;0}uoHs41L9xH=T^`J#y68TtGZ5&Lq8IL#^RGDP=YsHF84lTfn2
zs`Wa(YC3CZX|mPWCv-j|-|e0XMnTq{->H}SO#?e(RwIC>?|`w+r4N7F@<N}(9Kq7J
zuMF5^U!D`uC3?#5VeRp~w9RD}GI3__y|lh+T}+7d*`qoWo@eIq2>DRBT3x8sRO0|-
z*8=Pmy6GkA`76dgm!em;W_0Gl6jAm{h!`_ODa9H=)Q>xcIOivm=!ZCqW)Y3+?dv37
zexq)c)O_bkYaV~>UUcuPsvg~Jw;26e+~oe`T^GC{YaC#u;G-V((S@;+_^4jW2i-6=
zQV)hH+@uSgsZVQ!P#=sK;+&6aqK~2lb*ZfM@OCb<>3w0IUKLZ*U#rnP65w5S)|i2p
zrto+`=a=#b-%`y)%l^$b^83AP3Wh6>aVd?fChx`n{Gfk>mqqF)%d=e$+vv1UbmMk5
zPP7R8E*i2vaM?b>ykR8HaZn;J*0@5AJHq$RUD3%kw{D(nqx#Xg<}nw(PC#a$=!I8^
zp83!f@61s?T`M*=`$U)*6L3c%uUBYZotV4%ykg+9ip%p){O9Yw9Uv}!4Z<~`h))(p
z<O7Igbx(aS7tiZhFu?fH`ET0(yCy2d62gzv{kr!QFi1uCj_tobF=PsT>;bF+pgeGs
zF0@LnxYsD_4Kmi`Y)#+;vRW;y(ubT-14h>9*R}W*4Yk!Hkz)frpGx12AS3#n4x>Il
z_KYY|{mGO#&#&KJ-X8BU>SLVzDzbDN;pxokzEr5@DCJZeQ8i?LkC)tns^M5X)!0!=
zb*fnj5#8f3f3sZ}1D^oBUHF?B`zkOU(DPH3b;-Yn2EQe!S%o6TE{ezjp5PJx?<D(|
h7~%nnh=F4evGgAdajuu%0@p`iFHv73)&L^D{4an(BlZ9Q

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssh/ssh_segmented_encryption_transition.zeek b/testing/btest/scripts/base/protocols/ssh/ssh_segmented_encryption_transition.zeek
new file mode 100644
index 0000000000..d92215c0f8
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssh/ssh_segmented_encryption_transition.zeek
@@ -0,0 +1,21 @@
+# In the pcaps used here, the first encrypted packet is sent along with NEWKEYS
+# message of either the client (1st pcap) or the server (2nd pcap) instead of
+# separately.  The "ssh_encrypted_packet" should be raised for such encrypted
+# data appearing within the same tcp segment delivery as other non-encrypted
+# messages.
+
+# @TEST-EXEC: zeek -b -C -r $TRACES/ssh/ssh_client_sends_first_enc_pkt_with_newkeys.pcap %INPUT > client.out
+# @TEST-EXEC: zeek -b -C -r $TRACES/ssh/ssh_server_sends_first_enc_pkt_with_newkeys.pcap %INPUT > server.out
+# @TEST-EXEC: btest-diff client.out
+# @TEST-EXEC: btest-diff server.out
+
+@load base/protocols/ssh
+
+global pkts: count = 0;
+redef SSH::disable_analyzer_after_detection = F;
+
+event ssh_encrypted_packet(c: connection, orig: bool, len: count)
+	{
+	print pkts, orig, len;
+	++pkts;
+	}