Project

General

Profile

Actions
Copy link

Feature #7103

open

ssh: extra fields and keywords

Added by Peter Manev 5 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Consider adding more ssh protocol fields (to the existing ssh protocol logging) and ssh keywords (to the rules for matching) to be able to match on such cases as described in the blog here:
https://corelight.com/blog/newsroom/news/zeek-metadata-ssh-terrapin

Mainly:
  • Message authentication
  • Encryption
  • Key Exchange
  • Compression

This is good both for detection and audit of networks traffic

Related issues 2 (1 open1 closed)

Related to Suricata - Feature #4148: Research: SSH Support for additional protocol analysisNewCommunity TicketActions
Related to Suricata - Feature #5734: ssh: add frame supportClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF