Project

General

Profile

Actions

Feature #7103

open

ssh: extra fields and keywords

Added by Peter Manev 5 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Consider adding more ssh protocol fields (to the existing ssh protocol logging) and ssh keywords (to the rules for matching) to be able to match on such cases as described in the blog here:
https://corelight.com/blog/newsroom/news/zeek-metadata-ssh-terrapin

Mainly:
  • Message authentication
  • Encryption
  • Key Exchange
  • Compression

This is good both for detection and audit of networks traffic


Related issues 2 (1 open1 closed)

Related to Suricata - Feature #4148: Research: SSH Support for additional protocol analysisNewCommunity TicketActions
Related to Suricata - Feature #5734: ssh: add frame supportClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF