SSH protocol now assesses the packet length at an earlier stage within binpac. Stops SSH analyzer constantly raising binpac exceptions. Seems to be because a packet continues to go through binpac when empty and only calls the next packet when asked for more data and not on operations.

2025-10-04 15:48:19 +00:00 · 2017-12-21 16:34:26 +00:00 · 2017-12-21 16:34:26 +00:00 · f07fdc255f
commit f07fdc255f
parent 1c25df6f26
2 changed files with 25 additions and 12 deletions
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@ -173,6 +173,18 @@ refine flow SSH_Flow += {
 		connection()->bro_analyzer()->ProtocolConfirmation();
 		return true;
 		%}
+
+	function get_kex_length(v: int, packet_length: uint32): int
+		%{
+		switch (v) {
+			case SSH1:
+				return packet_length + 4 + 8 -(packet_length%8);
+			case SSH2:
+				return packet_length + 4;
+			default:
+				return 1; //currently causes the rest of the packet to dump
+		}
+		%}
 };

 refine typeattr SSH_Version += &let {