mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
12 lines
459 B
Text
12 lines
459 B
Text
# @TEST-EXEC: zeek -b -Cr $TRACES/ssh/reverse-ssh.pcap %INPUT >out
|
|
# @TEST-EXEC: btest-diff out
|
|
|
|
@load base/protocols/ssh
|
|
|
|
event ssh2_ecc_init(c: connection, is_orig: bool) {
|
|
## If a machine sends out the initial key material for the handshake, this should come from the client.
|
|
## In most cases, this client is the machine that set up the TCP connection.
|
|
if ( ! is_orig ) {
|
|
print("Detected an ECC INIT not from the TCP client");
|
|
}
|
|
}
|