Added several events for detailed info on the SSH2 key init directions

2025-10-06 16:48:19 +00:00 · 2022-12-02 11:27:25 +01:00 · 2022-12-02 11:27:25 +01:00 · bcdbca4bb9
commit bcdbca4bb9
parent dbbb6cd6f0
8 changed files with 178 additions and 18 deletions
--- a/testing/btest/scripts/base/protocols/ssh/ssh-reverse-connection.zeek
+++ b/testing/btest/scripts/base/protocols/ssh/ssh-reverse-connection.zeek
@ -0,0 +1,12 @@
+# @TEST-EXEC: zeek -b -Cr $TRACES/ssh/reverse-ssh.pcap %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/ssh
+
+event ssh2_ecc_init(c: connection, is_orig: bool) {
+    ## If a machine sends out the initial key material for the handshake, this should come from the client.
+    ## In most cases, this client is the machine that set up the TCP connection. 
+    if ( ! is_orig ) {
+        print("Detected an ECC INIT not from the TCP client");
+    }
+}