Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

make SSH analyzer robust to half-duplex connections

Browse source
This commit is contained in:
Vern Paxson 2024-05-04 09:47:52 -07:00 committed by Tim Wojtulewicz
parent 29f5a49baf
commit a0888b7e36
12 changed files with 170 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

51
src/analyzer/protocol/ssh/ssh-protocol.pac
View file

@ -37,6 +37,7 @@ type SSH_Key_Exchange(is_orig: bool) = record {
key_ex: case $context.connection.get_version() of { key_ex: case $context.connection.get_version() of {
SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig, packet_length); SSH1 -> ssh1_msg : SSH1_Key_Exchange(is_orig, packet_length);
SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig, packet_length); SSH2 -> ssh2_msg : SSH2_Key_Exchange(is_orig, packet_length);
default -> terminate : bytestring &restofdata &transient;
}; };
} &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length); } &length = $context.flow.get_kex_length($context.connection.get_version(), packet_length);
@ -381,32 +382,32 @@ refine connection SSH_Conn += {
} }
} }
if ( version_server_ == version_client_ ) if ( version_server_ == version_client_ )
{ {
// SSH199 vs SSH199 -> 2 // SSH199 vs SSH199 -> 2
if (version_server_ == SSH199 ) if (version_server_ == SSH199 )
version_ = SSH2; version_ = SSH2;
else else
version_ = version_server_;
}
// SSH1 vs SSH2 -> Undefined
else if ( version_client_ == SSH1 && version_server_ == SSH2 )
version_ = UNK;
// SSH2 vs SSH1 -> Undefined
else if ( version_client_ == SSH2 && version_server_ == SSH1 )
version_ = UNK;
// SSH199 vs SSH2 -> 2
else if ( version_client_ == SSH199 && version_server_ == SSH2 )
version_ = version_server_;
// SSH2 vs SSH199 -> 2
else if ( version_client_ == SSH2 && version_server_ == SSH199 )
version_ = version_client_;
// SSH1 vs SSH199 -> 1
else if ( version_client_ == SSH1 && version_server_ == SSH199 )
version_ = version_client_;
// SSH199 vs SSH1 -> 1
else if ( version_client_ == SSH199 && version_server_ == SSH1 )
version_ = version_server_; version_ = version_server_;
}
// SSH1 vs SSH2 -> Undefined
else if ( version_client_ == SSH1 && version_server_ == SSH2 )
version_ = UNK;
// SSH2 vs SSH1 -> Undefined
else if ( version_client_ == SSH2 && version_server_ == SSH1 )
version_ = UNK;
// SSH199 vs SSH2 -> 2
else if ( version_client_ == SSH199 && version_server_ == SSH2 )
version_ = version_server_;
// SSH2 vs SSH199 -> 2
else if ( version_client_ == SSH2 && version_server_ == SSH199 )
version_ = version_client_;
// SSH1 vs SSH199 -> 1
else if ( version_client_ == SSH1 && version_server_ == SSH199 )
version_ = version_client_;
// SSH199 vs SSH1 -> 1
else if ( version_client_ == SSH199 && version_server_ == SSH1 )
version_ = version_server_;
return true; return true;
%} %}

1
testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-client/.stdout Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

35
testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-client/conn.log Normal file
View file

@ -0,0 +1,35 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 tcp - 3.435401 2493 0 S0 T F 0 SAD 19 3493 0 0 -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.1.79 51880 131.159.21.1 22 tcp - 1.025500 176 0 SH T F 0 DAF 6 488 0 0 -
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.2.1 57189 192.168.2.158 22 tcp - 0.098697 4453 0 S0 T T 0 SAD 21 5557 0 0 -
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 192.168.2.1 57189 192.168.2.158 22 tcp - 1.381169 800 0 SH T T 0 DAF 17 1684 0 0 -
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.2.1 57191 192.168.2.158 22 tcp - 3.862306 576 0 SH T T 0 SADF 23 1784 0 0 -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.2.1 56594 192.168.2.158 22 tcp - 4.320795 428 0 S0 T T 0 SAD 13 1116 0 0 -
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 192.168.2.1 56594 192.168.2.158 22 tcp - 1.689473 52 0 SH T T 0 DAF 4 260 0 0 -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.2.1 56821 192.168.2.158 22 tcp - 1.106422 820 0 SH T T 0 SADF 26 2184 0 0 -
XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.2.1 56837 192.168.2.158 22 tcp - 1.080790 692 0 SH T T 0 SADF 25 2004 0 0 -
XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 192.168.2.1 56845 192.168.2.158 22 tcp - 1.302572 660 0 SH T T 0 SADF 26 2024 0 0 -
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 192.168.2.1 56875 192.168.2.158 22 tcp - 3.431977 484 0 S0 T T 0 SAD 12 1120 0 0 -
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 192.168.2.1 56875 192.168.2.158 22 tcp - 6.130941 104 0 SH T T 0 ADF 7 468 0 0 -
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 192.168.2.1 56878 192.168.2.158 22 tcp - 3.629091 684 0 SH T T 0 SADF 25 1996 0 0 -
XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 192.168.2.1 56940 192.168.2.158 22 tcp - 0.104996 500 0 SH T T 0 SADF 14 1240 0 0 -
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 192.168.2.1 57831 192.168.2.158 22 tcp - 2.758921 576 0 SH T T 0 SADF 23 1784 0 0 -
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 192.168.2.1 59246 192.168.2.158 22 tcp - 3.076782 3049 0 SH T T 0 SADF 32 4725 0 0 -
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 192.168.1.32 41164 128.2.10.238 22 tcp - 4.616008 5335 0 S0 T F 0 SAD 20 6383 0 0 -
XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 192.168.1.32 41164 128.2.10.238 22 tcp - 1.029134 752 0 SH T F 0 DAF 12 1376 0 0 -
XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 192.168.1.32 33910 128.2.13.133 22 tcp - 1.910986 6471 0 SH T F 0 SADF 33 8195 0 0 -
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 192.168.1.32 41268 128.2.10.238 22 tcp - 2.710803 5613 0 SH T F 0 SADF 24 6869 0 0 -
XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 192.168.1.31 52294 192.168.1.32 22 tcp - 3.660293 3729 0 SH T T 0 SADF 36 5613 0 0 -
XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 192.168.1.31 51489 192.168.1.32 22 tcp - 4.927993 4029 0 SH T T 0 SADF 42 6249 0 0 -
XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 192.168.1.32 58641 131.103.20.168 22 tcp - 0.587625 2885 0 SH T F 0 SADF 16 3725 0 0 -
XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 192.168.1.32 58646 131.103.20.168 22 tcp - 2.236752 4477 0 SH T F 0 SADF 179 13793 0 0 -
XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 192.168.1.32 58649 131.103.20.168 22 tcp - 2.066453 4477 0 SH T F 0 SADF 183 14001 0 0 -
#close XXXX-XX-XX-XX-XX-XX

30
testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-client/ssh.log Normal file
View file

@ -0,0 +1,30 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key
#types time string addr port addr port count bool count enum string string string string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 - - 0 OUTBOUND SSH-2.0-OpenSSH_5.9 - - - - - - -
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.2.1 57189 192.168.2.158 22 - - 0 - SSH-2.0-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.2.1 57191 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.2.1 56594 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_5.3 - - - - - - -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.2.1 56821 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.2.1 56837 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 192.168.2.1 56845 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 192.168.2.1 56875 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 192.168.2.1 56878 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 192.168.2.1 56940 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 192.168.2.1 57831 192.168.2.158 22 - - 0 - SSH-1.5-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 192.168.2.1 59246 192.168.2.158 22 - - 0 - SSH-2.0-OpenSSH_6.2 - - - - - - -
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 192.168.1.32 41164 128.2.10.238 22 - - 0 OUTBOUND SSH-2.0-OpenSSH_6.6p1-hpn14v4 - - - - - - -
XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 192.168.1.32 33910 128.2.13.133 22 - - 0 OUTBOUND SSH-2.0-OpenSSH_6.6p1-hpn14v4 - - - - - - -
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 192.168.1.32 41268 128.2.10.238 22 - - 0 OUTBOUND SSH-2.0-OpenSSH_6.6 - - - - - - -
XXXXXXXXXX.XXXXXX C1Xkzz2MaGtLrc1Tla 192.168.1.31 52294 192.168.1.32 22 - - 0 - SSH-2.0-OpenSSH_6.7 - - - - - - -
XXXXXXXXXX.XXXXXX CqlVyW1YwZ15RhTBc4 192.168.1.31 51489 192.168.1.32 22 - - 0 - SSH-2.0-OpenSSH_6.7 - - - - - - -
XXXXXXXXXX.XXXXXX CLNN1k2QMum1aexUK7 192.168.1.32 58641 131.103.20.168 22 - - 0 OUTBOUND SSH-2.0-OpenSSH_6.7 - - - - - - -
XXXXXXXXXX.XXXXXX CBA8792iHmnhPLksKa 192.168.1.32 58646 131.103.20.168 22 - - 0 OUTBOUND SSH-2.0-OpenSSH_6.7 - - - - - - -
XXXXXXXXXX.XXXXXX CGLPPc35OzDQij1XX8 192.168.1.32 58649 131.103.20.168 22 - - 0 OUTBOUND SSH-2.0-OpenSSH_6.7 - - - - - - -
#close XXXX-XX-XX-XX-XX-XX

1
testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-server/.stdout Normal file
View file

@ -0,0 +1 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.

30
testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-server/conn.log Normal file
View file

@ -0,0 +1,30 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 tcp - 6.013825 0 2501 SHR T F 0 ^hdaf 0 0 20 3549 -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.2.1 57189 192.168.2.158 22 tcp - 6.641675 0 3489 SHR T T 0 ^hadf 0 0 29 5005 -
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.2.1 57191 192.168.2.158 22 tcp - 3.862105 0 813 SHR T T 0 ^hdaf 0 0 16 1653 -
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 192.168.2.1 56594 192.168.2.158 22 tcp - 8.841592 0 537 SHR T T 0 ^hdaf 0 0 14 1273 -
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.2.1 56821 192.168.2.158 22 tcp - 1.106164 0 1125 SHR T T 0 ^hdaf 0 0 20 2173 -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.2.1 56837 192.168.2.158 22 tcp - 1.080689 0 997 SHR T T 0 ^hdaf 0 0 19 1993 -
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 192.168.2.1 56845 192.168.2.158 22 tcp - 1.302374 0 965 SHR T T 0 ^hdaf 0 0 20 2013 -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.2.1 56875 192.168.2.158 22 tcp - 12.013362 0 549 SHR T T 0 ^hdaf 0 0 16 1389 -
XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.2.1 56878 192.168.2.158 22 tcp - 3.628800 0 825 SHR T T 0 ^hdaf 0 0 19 1821 -
XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 192.168.2.1 56940 192.168.2.158 22 tcp - 0.104755 0 609 SHR T T 0 ^hdaf 0 0 10 1137 -
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 192.168.2.1 57831 192.168.2.158 22 tcp - 2.758679 0 813 SHR T T 0 ^hdaf 0 0 18 1757 -
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 192.168.2.1 59246 192.168.2.158 22 tcp - 3.076531 0 4165 SHR T T 0 ^hadf 0 0 23 5369 -
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 192.168.1.32 41164 128.2.10.238 22 tcp - 8.458002 0 3015 SHR T F 0 ^hadf 0 0 33 4763 -
XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 192.168.1.32 33910 128.2.13.133 22 tcp - 1.883790 0 6037 SHR T F 0 ^hadf 0 0 29 7565 -
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 192.168.1.32 41268 128.2.10.238 22 tcp - 2.684423 0 2487 SHR T F 0 ^hadf 0 0 20 3535 -
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 192.168.1.31 52294 192.168.1.32 22 tcp - 3.659871 0 2229 SHR T T 0 ^hadf 0 0 24 3497 -
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 192.168.1.31 51489 192.168.1.32 22 tcp - 4.927268 0 2497 SHR T T 0 ^hdaf 0 0 27 3937 -
XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 192.168.1.32 58641 131.103.20.168 22 tcp - 0.542658 0 2309 SHR T F 0 ^hdaf 0 0 13 2993 -
XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 192.168.1.32 58646 131.103.20.168 22 tcp - 2.198678 0 535101 SHR T F 0 ^hadf 0 0 226 546861 -
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 192.168.1.32 58649 131.103.20.168 22 tcp - 2.026830 0 534861 SHR T F 0 ^hadf 0 0 236 547141 -
#close XXXX-XX-XX-XX-XX-XX

30
testing/btest/Baseline/scripts.base.protocols.ssh.half-duplex-server/ssh.log Normal file
View file

@ -0,0 +1,30 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssh
#open XXXX-XX-XX-XX-XX-XX
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version auth_success auth_attempts direction client server cipher_alg mac_alg compression_alg kex_alg host_key_alg host_key
#types time string addr port addr port count bool count enum string string string string string string string string
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 192.168.1.79 51880 131.159.21.1 22 - - 0 OUTBOUND - SSH-2.0-OpenSSH_5.8 - - - - - -
XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.2.1 57189 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 192.168.2.1 57191 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX CtPZjS20MLrsMUOJi2 192.168.2.1 56594 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX CUM0KZ3MLUfNB0cl11 192.168.2.1 56821 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 192.168.2.1 56837 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX CP5puj4I8PtEU4qzYg 192.168.2.1 56845 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX C37jN32gN3y3AZzyf6 192.168.2.1 56875 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX C3eiCBGOLw3VtHfOj 192.168.2.1 56878 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX CwjjYJ2WqgTbAqiHl6 192.168.2.1 56940 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX C0LAHyvtKSQHyJxIl 192.168.2.1 57831 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX CFLRIC3zaTU1loLGxh 192.168.2.1 59246 192.168.2.158 22 - - 0 - - SSH-1.99-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 - - - - - -
XXXXXXXXXX.XXXXXX C9rXSW3KSpTYvPrlI1 192.168.1.32 41164 128.2.10.238 22 - - 0 OUTBOUND - SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301 - - - - - -
XXXXXXXXXX.XXXXXX Ck51lg1bScffFj34Ri 192.168.1.32 33910 128.2.13.133 22 - - 0 OUTBOUND - SSH-2.0-OpenSSH_5.3 - - - - - -
XXXXXXXXXX.XXXXXX C9mvWx3ezztgzcexV7 192.168.1.32 41268 128.2.10.238 22 - - 0 OUTBOUND - SSH-1.99-OpenSSH_3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301 - - - - - -
XXXXXXXXXX.XXXXXX CNnMIj2QSd84NKf7U3 192.168.1.31 52294 192.168.1.32 22 - - 0 - - SSH-2.0-OpenSSH_6.7 - - - - - -
XXXXXXXXXX.XXXXXX C7fIlMZDuRiqjpYbb 192.168.1.31 51489 192.168.1.32 22 - - 0 - - SSH-2.0-OpenSSH_6.7 - - - - - -
XXXXXXXXXX.XXXXXX CykQaM33ztNt0csB9a 192.168.1.32 58641 131.103.20.168 22 - - 0 OUTBOUND - SSH-2.0-OpenSSH_5.3 - - - - - -
XXXXXXXXXX.XXXXXX CtxTCR2Yer0FR1tIBg 192.168.1.32 58646 131.103.20.168 22 - - 0 OUTBOUND - SSH-2.0-OpenSSH_5.3 - - - - - -
XXXXXXXXXX.XXXXXX CpmdRlaUoJLN3uIRa 192.168.1.32 58649 131.103.20.168 22 - - 0 OUTBOUND - SSH-2.0-OpenSSH_5.3 - - - - - -
#close XXXX-XX-XX-XX-XX-XX

BIN
testing/btest/Traces/ssh/ssh.client-side-half-duplex.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/ssh/ssh.server-side-half-duplex.pcap Normal file
View file

Binary file not shown.

8
testing/btest/scripts/base/protocols/ssh/half-duplex-client.zeek Normal file
View file

@ -0,0 +1,8 @@
# Tests processing of half-duplex client-side connections, including no
# analyzer.log output.
# @TEST-EXEC: zeek -r $TRACES/ssh/ssh.client-side-half-duplex.pcap %INPUT
# @TEST-EXEC: test ! -e analyzer.log
# @TEST-EXEC: btest-diff ssh.log
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff .stdout

8
testing/btest/scripts/base/protocols/ssh/half-duplex-server.zeek Normal file
View file

@ -0,0 +1,8 @@
# Tests processing of half-duplex server-side connections, including no
# analyzer.log output.
# @TEST-EXEC: zeek -r $TRACES/ssh/ssh.server-side-half-duplex.pcap %INPUT
# @TEST-EXEC: test ! -e analyzer.log
# @TEST-EXEC: btest-diff ssh.log
# @TEST-EXEC: btest-diff conn.log
# @TEST-EXEC: btest-diff .stdout

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
4aaaefe2797d8d0af2885b4076b482c644cd6b59 8dd88e9b33da35feaae860b158bc91586ff17136