SSH: make banner parsing more robust

This change revamps SSH banner parsing. The previous behavior was both a bit too strict in some regards, and too permissive in other. Specifically, clients are now required to send a line starting with "SSH-" as the first line. This is in line with the RFC, as well with observed behavior. This also prevents the creation of `ssh.log` for non-SSH traffic on port 22. For the server side, we now accept text before the SSH banner. This previously led to a protocol violation but is allowed by the spec. New tests are added to cover these cases.
2025-10-02 06:38:20 +00:00 · 2025-03-13 15:14:12 +00:00 · 2025-03-13 15:14:12 +00:00 · 6023c8b906
commit 6023c8b906
parent 629f2bd03a
14 changed files with 142 additions and 10 deletions
--- a/testing/btest/scripts/base/protocols/ssh/http-port-22.test
+++ b/testing/btest/scripts/base/protocols/ssh/http-port-22.test
@ -0,0 +1,7 @@
+# Validate that a text-based protocol pn port 22 does not generate a ssh logfile.
+
+# @TEST-EXEC: zeek -r $TRACES/http/http-single-conn-22.pcap %INPUT
+# @TEST-EXEC: test ! -f ssh.log
+# @TEST-EXEC: btest-diff http.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-abspath | $SCRIPTS/diff-remove-timestamps" btest-diff analyzer.log
--- a/testing/btest/scripts/base/protocols/ssh/pre-banner.test
+++ b/testing/btest/scripts/base/protocols/ssh/pre-banner.test
@ -0,0 +1,11 @@
+# This tests a trace that has data before the banner.
+
+# @TEST-EXEC: zeek -r $TRACES/ssh/server-pre-banner-data.pcap %INPUT
+# @TEST-EXEC: btest-diff ssh.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff .stdout
+
+event ssh_server_pre_banner_data(c: connection, data: string)
+	{
+	print data;
+	}