From 6023c8b906877da8f81b0bab2c64d7fd697b47d3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 13 Mar 2025 15:14:12 +0000
Subject: [PATCH] SSH: make banner parsing more robust

This change revamps SSH banner parsing.  The previous behavior was both
a bit too strict in some regards, and too permissive in other.

Specifically, clients are now required to send a line starting with
"SSH-" as the first line.  This is in line with the RFC, as well with
observed behavior. This also prevents the creation of `ssh.log` for
non-SSH traffic on port 22.

For the server side, we now accept text before the SSH banner. This
previously led to a protocol violation but is allowed by the spec.

New tests are added to cover these cases.
---
 src/analyzer/protocol/ssh/events.bif          |  13 ++++++-
 src/analyzer/protocol/ssh/ssh-analyzer.pac    |  14 +++++--
 src/analyzer/protocol/ssh/ssh-protocol.pac    |  14 ++++---
 .../analyzer.log                              |  11 ++++++
 .../conn.log                                  |  11 ++++++
 .../http.log                                  |  11 ++++++
 .../.stdout                                   |  36 ++++++++++++++++++
 .../conn.log                                  |  11 ++++++
 .../ssh.log                                   |  11 ++++++
 .../Traces/http/http-single-conn-22.pcap      | Bin 0 -> 14651 bytes
 .../Traces/ssh/server-pre-banner-data.pcap    | Bin 0 -> 10593 bytes
 .../base/protocols/ssh/http-port-22.test      |   7 ++++
 .../base/protocols/ssh/pre-banner.test        |  11 ++++++
 .../external/commit-hash.zeek-testing-private |   2 +-
 14 files changed, 142 insertions(+), 10 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/analyzer.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/http.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/.stdout
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/conn.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/ssh.log
 create mode 100644 testing/btest/Traces/http/http-single-conn-22.pcap
 create mode 100644 testing/btest/Traces/ssh/server-pre-banner-data.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssh/http-port-22.test
 create mode 100644 testing/btest/scripts/base/protocols/ssh/pre-banner.test

diff --git a/src/analyzer/protocol/ssh/events.bif b/src/analyzer/protocol/ssh/events.bif
index f075581689..296ef6281b 100644
--- a/src/analyzer/protocol/ssh/events.bif
+++ b/src/analyzer/protocol/ssh/events.bif
@@ -12,7 +12,7 @@
 ##    ssh_capabilities ssh2_server_host_key ssh1_server_host_key
 ##    ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
 ##    ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
-##    ssh2_gss_init ssh2_rsa_secret
+##    ssh2_gss_init ssh2_rsa_secret ssh_server_pre_banner_data
 event ssh_server_version%(c: connection, version: string%);
 
 ## An :abbr:`SSH (Secure Shell)` Protocol Version Exchange message
@@ -336,3 +336,14 @@ event ssh2_gss_init%(c: connection, is_orig: bool%);
 ##    ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
 ##    ssh2_gss_init ssh2_rsa_secret
 event ssh2_rsa_secret%(c: connection, is_orig: bool%);
+
+## SSH servers can send textual data to the client before sending
+## a banner. The primary use case of this are error messages of TCP
+## wrappers.
+##
+## As this event happens before the SSH banner is exchanged, it is
+## possible that it contains data from different protocols; e.g. if
+## an SSH client connects to a non-SSH-server.
+##
+## .. zeek:see:: ssh_server_version
+event ssh_server_pre_banner_data%(c: connection, data: string%);
diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac
index 917e432098..4d8d9cd28e 100644
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@@ -68,9 +68,17 @@ refine flow SSH_Flow += {
 
 	function proc_ssh_version_server(msg: SSH_Version_Server): bool
 		%{
-		zeek::BifEvent::enqueue_ssh_server_version(connection()->zeek_analyzer(),
-			connection()->zeek_analyzer()->Conn(),
-			to_stringval(${msg.version}));
+		if ( ${msg.version}.length() > 0 )
+			{
+			zeek::BifEvent::enqueue_ssh_server_version(connection()->zeek_analyzer(),
+				connection()->zeek_analyzer()->Conn(),
+				to_stringval(${msg.version}));
+			}
+		else if ( ssh_server_pre_banner_data )
+			{
+				zeek::BifEvent::enqueue_ssh_server_pre_banner_data(connection()->zeek_analyzer(),
+				connection()->zeek_analyzer()->Conn(), to_stringval(${msg.nonversiondata}));
+			}
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac
index a7a4c044e1..f0f1f37d79 100644
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@@ -30,15 +30,19 @@ type SSH_Version_Switch(is_orig: bool) = case is_orig of {
 	false -> server_version: SSH_Version_Server;
 };
 
+# SSH servers can have banners before their SSH version. Which... fun.
 type SSH_Version_Server = record {
-	version : bytestring &oneline;
+	version: RE/(SSH-.*)?/;
+	# only UTF-8 data. This doesn't catch all bad cases, but some
+	nonversiondata: RE/([^[\xC0-\xC1]|[\xF5-\xFF]])*/;
 } &let {
-	update_state   : bool = $context.connection.update_state(KEX_INIT, false);
-	update_version : bool = $context.connection.update_version(version, false);
-};
+	update_state   : bool = $context.connection.update_state(KEX_INIT, false) &if(sizeof(version) > 0);
+	update_version : bool = $context.connection.update_version(version, false) &if(sizeof(version) > 0);
+} &oneline;
 
+# SSH clients _always_ have to send a line starting with SSH- first.
 type SSH_Version_Client = record {
-	version : bytestring &oneline;
+	version : RE/SSH-.*/ &oneline;
 } &let {
 	update_state   : bool = $context.connection.update_state(KEX_INIT, true);
 	update_version : bool = $context.connection.update_version(version, true);
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/analyzer.log b/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/analyzer.log
new file mode 100644
index 0000000000..cf3e6e1aca
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/analyzer.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	analyzer
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	cause	analyzer_kind	analyzer_name	uid	fuid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	failure_reason	failure_data
+#types	time	string	string	string	string	string	addr	port	addr	port	string	string
+XXXXXXXXXX.XXXXXX	violation	protocol	SSH	CHhAvVGS1DHFjwGM9	-	10.0.0.1	51889	192.168.0.1	22	Binpac exception: binpac exception: string mismatch at <...>/ssh-protocol.pac:45: \x0aexpected pattern: "SSH-.*"\x0aactual data: "GET / HTTP/1.1"	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/conn.log
new file mode 100644
index 0000000000..6745ee0868
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	22	tcp	http	0.000260	18	12649	SF	T	T	0	ShADadFf	15	618	13	13169	-	6
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/http.log b/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/http.log
new file mode 100644
index 0000000000..13af18bbf4
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.http-port-22/http.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.1	51889	192.168.0.1	22	1	GET	-	/	-	1.1	-	-	0	12632	200	OK	-	-	(empty)	-	-	-	-	-	-	FsaSIr11Ze8VUH5yPj	-	text/plain
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/.stdout
new file mode 100644
index 0000000000..cbab7d28c8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/.stdout
@@ -0,0 +1,36 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ _____________
+< Hi stranger >
+ -------------
+   \             \
+    \             \_
+     \             \\
+      \             \\/\
+       \            _\\/
+        \         /   -\
+         \      /  oo   -\
+          \   /           \
+             |    ---\    -\
+             \--/     \     \
+                       |      -\
+                        \       -\         -------------\    /-\
+                         \        \-------/              ---/    \
+                          \                                  |\   \
+                           |                                 / |  |
+                           \                                |  \  |
+                            |                              /    \ |
+                            |                             /     \ |
+                             \                             \     \|
+                              -              /--------\    |      o
+                               \+   +---------          \   |
+                                |   |                   |   \
+                                |   |                    \   |
+                                |   |                    |   \
+                                |   |                     \   |
+                                 \  |                     |   |
+                                 |  |                      \  \
+                                 |  |                      |   |
+                                 +--+                       ---+
+Habit is habit, and not to be flung out of the window by any man, but coaxed
+down-stairs a step at a time.
+\x09\x09-- Mark Twain, "Pudd'nhead Wilson's Calendar
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/conn.log b/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/conn.log
new file mode 100644
index 0000000000..45467980dc
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/conn.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	ip_proto
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	count
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.2.1	55343	10.0.2.10	22	tcp	ssh	0.201784	2869	4728	S1	T	T	0	ShADad	21	3973	15	5516	-	6
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/ssh.log b/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/ssh.log
new file mode 100644
index 0000000000..73274a934a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssh.pre-banner/ssh.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssh
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	auth_success	auth_attempts	direction	client	server	cipher_alg	mac_alg	compression_alg	kex_alg	host_key_alg	host_key
+#types	time	string	addr	port	addr	port	count	bool	count	enum	string	string	string	string	string	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.2.1	55343	10.0.2.10	22	2	-	0	-	SSH-2.0-OpenSSH_9.7	SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5	aes192-ctr	hmac-sha2-256	zlib@openssh.com	sntrup761x25519-sha512@openssh.com	ssh-ed25519	27:27:33:7a:1a:4f:46:b2:58:1c:04:c2:ad:6d:8a:86
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/http/http-single-conn-22.pcap b/testing/btest/Traces/http/http-single-conn-22.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a450fefde2d83b7f357fe89ac81e9982e624b1c9
GIT binary patch
literal 14651
zcmeI3O-NK>6o$`CYBg~CnNox>u81*UjgHd5OfC{q2O_%IMASkMbR$DT2(>PP7D2l<
zZK_RT8;f>P47EtYAhX3RqJkupAY8df!_Jv=KWDscX1>K;y~5{ZethSgbDztD-1$Dg
zef}s)4P<_{wumD9;QRFLPI)fvujos86rJT?kv%j>l#sWbZkp?i@iWC4ioAbDEkwIk
z<b7V$rS&_S!mn3S%73p}J5wY<lBk7qX!l1>TJ_>C{eGe;hpSU+t!0&y7QF+UGNUO+
zIVI<>|2oS09UTgEw4JhlooIM4?{>SneBSF$B~wn!iOHlA)z#J7<0ALCQLgU3R@ciZ
z7yYG^uA0=aUtLpRQrjsfFK};uU2bnrk9+>Cl$V<*6sFuuQ`ZXP?NVxgb*Z%ua)SrC
zRxb6rmO8{KbB(%!r8Yj+QfHqAN?kJz5Af$Yu`^@SV_2907ytucAUp=d0-mJ>oJq03
z%3rm>6$=YElg0x51F%4NXB}4<W(@|wfMGx^Fm7pq__A2w$1SzMRSOHmmyHF|?_dE?
zX{f{zEP#RV7!V8Gu(Uwys950ZUbVnY3k$T48VjV(!2;o(bzEVXH5dQ`h5@m_T}unJ
zmBa$2dujo`lTr75fwq#dK-Us104fcYID!Q*5FP_!frpkB=ok?TEH$eI<PLbfcZWMh
zj0KKeh6Tbq>$t)&YcK!?3<F|;7nT-CEQkd@JWva~wy;2A!C1ik1`B{nLnV%20Stu4
zfLLJO(gMjLvA}%0THup~1(N*rQvGV|kqKBJyt9rg46_CUV8AdS7WiUmfxe<x;Elh1
z<EMoM`ijN^&A(s)P-&>d5iEd#@E8ya@Yb!$CcZj$jb*Z8fmbK=e}O;tDF->_xTZAl
p#>2Fq6x@4O*_OC-?^!0xF4^=XrAt%xRj1V2(I!#mRJkKg`3L1BqNM-;

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/ssh/server-pre-banner-data.pcap b/testing/btest/Traces/ssh/server-pre-banner-data.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3b74e2f5118b9f727571392fbb79fa059b81c6fe
GIT binary patch
literal 10593
zcmd^Fc|4Te+aLSBW~-F3w-}5qDv=Zli7cTQW^6HI8B3+2M@S)QC{ij>LYf|m$`-N~
z*&|t#P$`7ad+r$~Gt|@X`Tg;JKJR-zo$1`yxz6`m@9UiVzBN80UZ;mK!hSYJ7#+CK
z45@dHmgj~UgE7=QZ_8w#`;0x|JaZ1s3frj<(*{JCHnW2hJB*$VboN#Sn2<*N<LwYV
zyX41@X-^o8o{{NqItB)2IyzSNit)${XpWJdj6MO-cY|xFlX1y106Gk|6<`B&2_l3H
zNq`BpDi8^8G=T)2WYf9u4qY-jBRwnoQEpik2pvdbf%HD7$PLp0s8C;`w+bLadVAC8
ztpm`v1@W@7)4hbj=Jm~lkRe13Rc@FiSO;|)#N9B1c|@CK5k*+pHCQQ#SrDR`nLa{E
zUJ<d^6N3d~I}Q0wT<nk-b0B6x@g*)%AuvNOiF`ogl5M~xmO;F9vn-`#F+hYGa7Pw|
z$dJtq`@jSvbs9u^rVauNgc#2HD@52e3ZglL2)A3@*tf#<UEw}>Zxq%U;|<@&4o56*
z>~J{T7WALZ79!Eo>_|jfDw%Z&v#r9y1oZ+tTU!M(4wV1}aD||(pr8RV4o5RZ!h`r1
z+M;C;DG>Sr=8-H~j0w?g5eV{9vb{7*Ar5jQfl#ZoFg5=_831CTOf2>(nXEu7pTY|U
zl!ZVkQd?{km<Kcx<(En>##jtYJr0EA{0@WcG3rG$R|*hMASG@zv(P2Qm}TZjBme+-
zev9!>ijckWUtuf+|Mz<QgEeGZZT|rSj-Ymh!hDp;nE~7ZHQeuf3NhGj1V0-WmM(&X
zl=vqN$T!2hC<u+xAe!wz$tJ~Pxz!~9{CnXf-2X!QABrdC8^z+q1IVU-R-csfi<kWz
z+y067ezTsU095(eLFEquI}_AtD?iMez)IRnyr?UG&pXmyB0@Jil1o$he`>kR2xJnJ
zP|G!tV;f0(Tjl+qdmGIbst^0srff+h^t=n=Wf}Y4PuW6Wfc?!Jvasr3BKArF#IN6P
zFGU=A#0~2J{(|}vpS>Wkk$fgV?XzB~1)tfZP<&<ucFPy~C<j+O+|>u}0uAKgC@dO|
z#o^(29NYl|cXIc|I>T|kcsR}pj(5Sp{avwWoIl**2w*${_dsFg;0|Ec5r+!EpxMC`
z7U6?OxqAD+QDD=>c*0S5Fv7cfVC31^*boS~5z6~8e7`@+6|9sn@kOI$u`U=C8gA+8
z?t{b1`oMRf+%Z@*%9|7qmdF1t9=!#?d$ZGX6z|o8cvwO4nC;|-xdG2XeTnyM3G5{A
zou=_#!GiY^M=9QO0N$%#dPq|8M8b734z4IHLTMu!<A7B1RVAOB@Lm7X7AUuVOczsZ
zc@1oFfNb&V0f$pYa5x2>CR=wig2O2coSP2009zIxeL=SNz6%mzg_XrnBZ5OOBa1-q
zq=Bf-;P)v8d$GHh-6MDa57GyV_xAPNq=pPoQdLE2Abea<sz@bm95@;J__)YB;ymOW
zeZBoKlvyQJwWSnocUK399p~*VhjB!^Krl)Otg8>+6XK^KDXXi{l2nzDa%fj4Csz!@
z1>^1xk`LkRjq~+HU;-RnpyM405kM`+gjAbXd-+-Q-_EKmAY%gX2v@8V4&f+w7!v?e
z-P_d>k8nizDJm{@2XNX;U@8KGCcDHD<BbPA$i+O6bv`H(FvSUoKVk%~`7=h~u;m$j
z4kP|iJ;3wF8hS4n0@7l6i4+bH>g72WDYTqxmeA%CWI-}1kDv^pwvEc;%bP^SLeUdg
zB1gFZN`spTj>7mLHGqM5Z#gg|SwbEnmDC~XAM!}Mc%U4~frk=*;R;C^DItJ#0QSd>
ztB!(ui^>j&Acw_aF#zWGvw(rRL6yaEkQ+t>RR!v_Rgy7<zyVdsGh1n@B-ob=?Se$;
z#%;yOl?Bu(G^moVL1l605QutFjdR#i;+38z{y{xtHF(UX(_Fr?$SqH%GVuRN!C6#g
ze3n)jm<A<9Y4df-{Q{-hqI(R)+#OU+@J~q*;fZrUf>c&irSdS8?c}_Mvi;YI@9gM7
zyAHZFXvqHy@|t|1`%Fy*fx%O2NTNfw(M~Mfib@E`f?v-<W$stA$R#uLYEU_8K?N!z
zm3ZoEK)FH!NB*BROc1JAa<s(^Sp3TgFt@Zp6-;#aKR<01+7SuwEx>8(;};8Z1q0Qq
z1FB-%0OAV<7;GBUL#Qt~Z4E<OXfq#tM19(tM+B#>^Yd@10OA;g2x{WrtZTt<YAS2p
z=_)VlbzEH&ykE|HhcL0;n%dVDTVo)^f5`vJb%p_=n#Ee}<`pf5Eb)6-v}O2MM2kfZ
zlo^HuwV=X;dG3h|@a5EtbCqv04=E}Nev<HJM{mqMI~dWyOf7RTjkWHxa~0cr=>T=>
znYX)3_e-#S)EMZg2_mBVzbNCSA~v0vb2XC)J(Ti-H)H&9M(Bo#_7xJE9Qgk5JM4X7
zJlYQ(J69xkO!{0H6Np}MJx+mP^G!a%Y38fXR9kuG@?M3H{*}L(am^`oi=XFJH$GLE
zD0}40O6J--BF*t5?Xq;ipVKn)3af&iJzXc??XEw}H7oqRF|krYq=h|W{cC2!{kkSQ
zV|UUccsAy;9|-z>bn0Eh+VZSmi*rxwqeS1HR*x{vQwZMAetJTtO{I~3KxM;cV=aCA
z`vH~P?SiiKKJ+x(#Px9c_Hk!V?$mMK2Bwx%;&02;#1(GW2ymatrmK_W%lGUIuZ^ki
zjp&#f@=8h5Ixu^3j5B7ne2EC=b}_St^42K0uA>3{ZOy5S08<Mlo@2>yBKNwhk>#IS
z@8l>QXVPf6r11R*e0ZAM+*G(TRmQq=vREPIZW8NBSDa~dSs#Mo^b|%XVah^2Dm)Z_
zv~aq^|EliM_sYhKT;p9l1<%syg3Y%}Wa=1~5S8S*jQzZm)ds9yo-a^yuIk%NUv}WS
zb}ZZOG34#jTV=FWgbE@&R8~F+z#$c08|6et_P>o*)N>0F$ZO(j4R~~pgAx9$ZOjex
zk>yKXXuJMEbD3S(q&XL+OmAEL+t^R*ye_}!_7i8QuPv$K7BXmS5@`!C?hAcw>uWTC
zGc36`OXPR1gKJ#sxp92#ikAatfivQJRoEMu<f4@fnHQsd%F8ObE4mwUqMiwJ7Kl!y
z?O-r7$xS8J&h%UO39Y*Ry#8GbV+bC@BFCaB@5m|M7b-6nB=44Gzs-48?@rT9(GAfV
z6C<Ktn(|P>-*2V;B7>Q_!sw(DPQ4K)*ogO{Is}n1EvHiM@vk9>`|t!6_#}%ni|BgT
zvJs+q5El>SRGTLzHGe3ZX*cTO-zzRr&$RiKpXPN1FKz2#Bg8TF@l}-~eLf-bR_=1W
zZ#RCenBlJwL(xx-kFIPQ{Wd$UzrUt@;JEk+*<JBUgr{6C46=1&1O=?R&BOJ{ljo51
zjcg_1PucPe_O!}p^YvK3KUDA77nr_DUrX{-+U4eaE#aBzJB6X!TuK#0V&4US=DImv
ztl#~rzu-LnP;AA}@%&&;SgKBneJ+dQgRX1LhL-~9_&2S2fc;Twklu1yoh$Hu_6FIb
z6*4iLaM9Tyf|y0{3R}gs7o_W3Eaw^?O^dm!>}x)^jW;TOcuUI{iy`d^bkZ)oYjcTQ
zUqb7HzWao_^j514qgm1FW;rc4=KMrXb~0GUyt&Dnfv9y*O-Ise5h|j2XH$=UeiXpA
zTk%P$ye>bFx3I|8-p#$R?LD8EW?G4YtCMpwk4bTvx7HhYZ_X+_61vs0-SlF9^Tu5v
zf@cc{T<o3tw2nWhYh9h#R?FXf%_J5(6C)H?in<8rrDyQ*&y3ekUbRw{Em}U$$v%DX
zqQ6mo$o;fT;<_4rUVc#X$PKE5dxOaD>Y;b`w5LPxzMd009fmVdpAO$!XvCKagD(K%
zt4>f(hgYC#2x?#r8#pn-ltJg9KBB;}JG1E`Z5lHM2NflM1ios}+PP(G0RMD>{u{VM
zx9I0yuvlRqW87KiOJx%!6R8Bpoq5@@s+x@ZqL?bA5;|6-qeaD-xt$HvQD?UV<K?vw
znMO8zS+5V?vA=k`RYD8R6m1>$-8r1y_!*COwAmhF_7jUYSK1VOn6-y7ytkvu?}z%R
zXzK`WS4uEZt}Sb-e=6|$)=5S~`z{@u7srjarl8h%j;5vEe5Mm!blwzSc5lOao{-U7
z;z*{X7}moLPm1+)*|;V5<i{phRkKNR5%soj=N8>Ob{DCqGx5Oa__)N=8?TzA%ji}%
z4XNF`v$;s|)A04ljVJbAe1IMjMTdxA`+)bg4Abq3^kGMu+|BY&te0}3Hw~O_nccx9
zbCG4^Fh`s1W<P7zr{+IY6q5{YG8MQ4fBXy4c=fBWzHI9b6t1*9A?QeF6WR#BJ$_iV
zWAIkg@cRNQKBJ!e0k<#6*6FDqn`$SS6FA_)6O3v_hSx6<Tg|hW{fS(Hj)!f9N6bIu
zv`aj>)iOSueC?#4{|-K{j!?-xv#k>G_<-#z8&2T*WsM$dx!CQfnUF8pExhWa{5flt
zWCO+#*33tQ2O-&ecc-I03**0Dc`Ml5_Brv|2&||ycuX*Nj{ZcopZY)`+?1h`U9w0b
zMYBCa%4uWYdifDw;*;mRo-OVjMn!%)Vrvn6?C!}Qp7Kmq?h==1Ut{s0(9rVbA!5jc
z41-JxLt6T)$Je7?7^^XqdWJuC=j3>UhM%gUcjA;~_**Y&x+B_T+<CL!wt@H6F@CBl
zT-UZ_<}pb3Tiv9y#pkHEYN==Fyb~11-uN10nz?;ba>6|~4;5ztE6b8rB7;ii&F*tG
z^_vn8YfI%dHmDu^Qc`g%q(PQ1DQUII!M4(GK{XxgtDIKc>Udp~RKXCgJ;RbWRVUbD
z*`R)Nx8lp9sIw1qS(~Lxn(lvlWqRapRcQr3>*SO4^>rpJ0of6?C7!v*C&pjx=d95j
z@ioVt$*mCD+uS|pl$0gMucFg;7iF)vGIyf}Yw(7_-u3cgoRw(B97gBfM?MbU!m4xc
zC7<#CV8wH&zDv5#cVoOx&X?MPPy6rwC1m$4yWgguz2J%X(-99I|4|*dQWd<(+w#q^
z!+Y4aH9g87geUo~tK|K`jQPY(-|igeB^&sS=UI2Z0U`M^t|)HmP|08GKWQEu5~wro
z2taCi5LX4_W47n~HSoGMCC1o=o*A_@;)3tf@gJ-$Zk7-ER>qIVOEGgk!>>i1!W{1H
z!0k*+6}s$Tr?JYR?7qSi55tnUi;U8t!{=5TO`58*yB|rY-R)qZExl6+5h}r!6SiyR
z*6<rG2}6qK!~6En7FfDBM&3LhfGp;_flTHzJcGS(HbVWgO-A|o?kukGgAxyr9*jh{
zr?*`=tUm}#KN6GN#!5^vW_&mxpB2$@e|0o2CGu0Z<hm|*O^l9d%UU*@s=;0HR$kSi
zxjZqWfm|EJ$D8+nDr2^^(rAw-oN#^4w#nS_`RSXu+_)^=c0RVecD*JvovVd!Y2hGV
zHX>e8<roTkw%o))w=1zsenpGqx)H|cRkMBvGv09kNJ`^m7o?0~J<c~$o_l6kDGTdG
zsm4jhTui$X(RTf0V|A(Sh1zc%CsET$p9|GJV=w%@i!I4^K*p=6l`tc9jHlQ&TFs4h
z-2qWCziQ>)!be=Xd8lwvdWBc!+0BvJY~6LYa|A?-FLUE7iyZcNZ1~>zx<=>2^mNu+
zmYPsuL*;et+553Z;*(ARs|#i7Ju+A9ReO+|vA-juyyxPx!N#Ks&wYpDbdPfw2~1Aj
z;a+pZznZ<jq;RaX+<F~f#VvIfd+q*aW79mgbP<JO`(sH~4p8Oa7X*V<0n?yPTlry6
z2wYI*kCdRU{3COu$`9TP=$xUh{4Qst93pN8AJo4P06$&r9doy%J|1lvt=#SNcznf}
z)TPA7In2Gt@3oGH0|lJvq_0U$<#`fpUW&y<>Cf^CUw0qd)V71}%lismvARZ{vtAWa
z4Z*9WqNDBAzXmetZSH@X(sZDMQG(OB{hV}jkj&-o?QVj1udJ*PwG+Ovfn(@Om}E}h
zJ1*3%50GWH!Q@Zz|H<e0Qeh%tWDYzp3=W)KcwUGS0H^ya5aPjqiTE)TAPx+Gy_Nid
z|0kk-0}N&gJP&o+ClHt}AOi0@*i%1&Kso|M@C4Fvm4dh)(h;yz<te0dOBCJjzU_09
z;(M1mz8^zDd}X1XeK?X5-|mX>sPz!y@Oe7eDIf~!OLWEqBBZk-jn1+QIv>4H(b*d4
z+#T85%Pq1md!KK(<cUpmz6s{9bE5iQGlZ$3c6c#aKW-Ivu5EmfB%B*1kh-sjc&c`*
z4!+-4?dTEl&Z~B9V(PabjpSo~Ya<WI#`I-ubSBxjnqp%Qu+bVq%qRS`amihQC-9OG
zotH%fcg0`s6vSQ#k<tHJI^mJM=%^n1_2-Uhxz;W+Z2l25aTz_wzLh?&JQa640in#}
zH$oRa`n5RLmJi49_bR4q)fPL^$=Q=%CQ~4dOyhsrNaOWie#a_x23{|RzBTky{<tK{
z26(*}LNo)27eKV2PJ_4`7BU}4I87YMh#>b&z_aswHj@xrV`n={_~$y(4hbC)430Kc
zfe8gGo-hhr>l%i%H{GafU`8-HkW6oRX8VdQY^je&m5c97U@Jd9X~}<A%*tJ)a#%9u
zwPTP%Zfsl7{yED~JxD{s-#;~65`_=~A1MkJG*KuAx%&`$XPKlyiNX+wf=z7CrY}c^
zdODTsQ}s(ECxyDaa2I$pA2z*b^}vp)`(&1JJG<^M-(4;7<OR#FV#(I=*h9nSX*b)M
zdk$nWc3iU8)I52@;Z{A{*XniBt@rV|kcI`h{~{_6iG)u=AS!eHaEcEdK~#oFaW0{Q
zNzlPaoi-|T0_3Qm&eKGNj0mC<E=oakh7hH{8Db8@xobQOKJvY~uTk=vxPH=L$oht!
zuHf0Q6G!*^U@Lr^j!j6oG<-%i#y#KsHF31y`^zoSS@{Lt!v__$B6|It6iZfC9*nNK
zqbc_?Ci+(7$$OD+vvkHjK9CK*w1!Da;pU4+%oRok&n3+1t`u%oJbgH+x4tf0lcTFK
zm@nSJE$-2k`-16)uO4%JHW5iYANKwEJNi+x%E-qSIbL~FV_Mt1-4(^H?p)3vxh;*_
zby7x^@7|NS&J9Q12n<8k4XHOOt=@<tV)pDluQ7+JdhTL8ct(3J-&8nJJsTeX4heZI
z@$GN3grAfp=G0m83H-@eSv-^_Q}bVVfwv|=mN*~LJ4bj|VJQ^2UHG1dp?~+;*{`E!
zA<Egj7dz92;y<gintR&vJiAsCcuBI;{$%0FV^4Do^F8GDo20Tm?T4if`?6J;-^k?W
z3To9_fjwb)8Pd?P`#;Z;vUrdsPEeNgg17DScN!Mb5<)}+#Q!u)<`F@bygg2h*pDvT
z<}RvuKu%vqX{Y?9F}M2TLc6T6X1Tn#>NH0SE%r6wKAd%O7x%K0dR!-Es43HZP|qTn
zJ|jhXWwNmT^DSpxMhNdOeN)|VsQSr1zu=tJiCHelZ)OQ+v~SzKU_@weiCYKW@e)#5
z<*+r##_P<HQ@UFiwgt6G%V<{}A?`cfkYigs-XT*m?s~))G1rBOh%<KF;1guFo1RlF
zN&DImBja>n%+BF^mv$&CHifs%TrlZM+92_AkVj|r!y<{pF#&Ns@p%R+4sXr5Pux7z
zv`aZ|Rbu+;&ei2t4EWU5M(<pNJZAjkw^_1+lqLIVvcyRvzT6+mlJ`Gr$sEWM>|b;G
zMG;M}3{I=0zS?5>_~A<Y)h~1B)|9!Mo63k+95*-9u=ayb&28Mb#dvJI)}#Byx2o#}
z9v`Jgh05{IBHd~}VN9m*-%Jl(J{FVR?dQn|X&45hr|i@;cm6Lce7Qf!l3XZDdM;C9
K>JPGH?tcKcZh%1m

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssh/http-port-22.test b/testing/btest/scripts/base/protocols/ssh/http-port-22.test
new file mode 100644
index 0000000000..a2e6df25b9
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssh/http-port-22.test
@@ -0,0 +1,7 @@
+# Validate that a text-based protocol pn port 22 does not generate a ssh logfile.
+
+# @TEST-EXEC: zeek -r $TRACES/http/http-single-conn-22.pcap %INPUT
+# @TEST-EXEC: test ! -f ssh.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff analyzer.log
diff --git a/testing/btest/scripts/base/protocols/ssh/pre-banner.test b/testing/btest/scripts/base/protocols/ssh/pre-banner.test
new file mode 100644
index 0000000000..80f3d81a04
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssh/pre-banner.test
@@ -0,0 +1,11 @@
+# This tests a trace that has data before the banner.
+
+# @TEST-EXEC: zeek -r $TRACES/ssh/server-pre-banner-data.pcap %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff .stdout
+
+event ssh_server_pre_banner_data(c: connection, data: string)
+	{
+	print data;
+	}
diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 48b931a063..70ddfe2829 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-296a3b2bfd36a74c8aa22f175cea4c00a9f4d079
+2fa4bd6a18c376c64629a6d5679c230423f60913