Johanna Amann 6023c8b906 SSH: make banner parsing more robust ... This change revamps SSH banner parsing. The previous behavior was both a bit too strict in some regards, and too permissive in other. Specifically, clients are now required to send a line starting with "SSH-" as the first line. This is in line with the RFC, as well with observed behavior. This also prevents the creation of `ssh.log` for non-SSH traffic on port 22. For the server side, we now accept text before the SSH banner. This previously led to a protocol violation but is allowed by the spec. New tests are added to cover these cases.		2025-03-18 16:19:33 +00:00
..
reverse-ssh.pcap	Added several events for detailed info on the SSH2 key init directions	2022-12-05 12:35:05 +01:00
server-pre-banner-data.pcap	SSH: make banner parsing more robust	2025-03-18 16:19:33 +00:00
single-conn.trace	Integrate the Spicy plugin into Zeek proper.	2023-05-16 10:17:45 +02:00
ssh-on-port-80.trace	SSH: Update baselines	2015-03-18 13:02:33 -04:00
ssh-over-udp.pcap	Integrate the Spicy plugin into Zeek proper.	2023-05-16 10:17:45 +02:00
ssh.client-side-half-duplex.pcap	make SSH analyzer robust to half-duplex connections	2024-05-07 11:40:47 -07:00
ssh.server-side-half-duplex.pcap	make SSH analyzer robust to half-duplex connections	2024-05-07 11:40:47 -07:00
ssh.trace	SSH: Update baselines	2015-03-18 13:02:33 -04:00
ssh1-ssh2-fingerprints.pcap	GH-1264: Implement "ssh_server_host_key" event	2020-11-13 22:58:56 -08:00
ssh_client_sends_first_enc_pkt_with_newkeys.pcap	GH-566: fix cases where ssh_encrypted_packet event wasn't raised	2019-09-03 17:34:24 -07:00
ssh_kex_curve25519.pcap	Add btest for new SSH curve25519 KEX	2017-10-05 14:36:13 -05:00
ssh_server_sends_first_enc_pkt_with_newkeys.pcap	GH-566: fix cases where ssh_encrypted_packet event wasn't raised	2019-09-03 17:34:24 -07:00
ssh_version_199.pcap	[SSH] Handle SSH version 1.99	2020-11-14 15:33:34 +01:00
sshguess.pcap	Updates related to SSH analysis.	2015-03-30 11:30:48 -05:00