mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
6023c8b906
This change revamps SSH banner parsing. The previous behavior was both a bit too strict in some regards, and too permissive in other. Specifically, clients are now required to send a line starting with "SSH-" as the first line. This is in line with the RFC, as well with observed behavior. This also prevents the creation of `ssh.log` for non-SSH traffic on port 22. For the server side, we now accept text before the SSH banner. This previously led to a protocol violation but is allowed by the spec. New tests are added to cover these cases.
11 lines
745 B
Text
11 lines
745 B
Text
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path conn
|
|
#open XXXX-XX-XX-XX-XX-XX
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents ip_proto
|
|
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] count
|
|
XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 10.0.2.1 55343 10.0.2.10 22 tcp ssh 0.201784 2869 4728 S1 T T 0 ShADad 21 3973 15 5516 - 6
|
|
#close XXXX-XX-XX-XX-XX-XX
|