How to generate SSH-cipher related event?

Hi all,
I’m currently working on capturing and logging of large amount of SSH-traffic using Zeek 5.0.2. But there’s a problem that I coudn’t get any details about SSH cipher in SSH.log, When I write my own scripts I found that every events except for SSH_server/client_version() in ssh module could not be triggered. What caused this problem?

Thanks for all your help,

Welcome, Shaw!

Any chance you can share your script & a pcap that demonstrates the problem?

Hi Vern!
At first I thought it might be me that didn’t load some necessary scripts,but when I looked into the SSH.log, it all looked this:
{“ts”:1665589208.121702,“uid”:“CdnFt82iUOtE7FYmJ2”,“id.orig_h”:“”,“id.orig_p”:33040,“id.resp_h”:“xx.xx.xx.xx”,“id.resp_p”:22,“auth_attempts”:0,“direction”:“OUTBOUND”,“client”:“SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7”}
And I have monitored for couple of days and have received about thousands of ssh records, and none of them have any details about SSH-cipher.I haven’t made any changes to the file related to the ssh.log, so I am quite confused.
Thank you for your attention and look forward to your reply!

Can you provide the conn.log entry that corresponds to the UID “CdnFt82iUOtE7FYmJ2”? It’s striking that there’s no “server” entry, so I’m wondering if the packet capture is failing.

Better still would be to capture a PCAP of a connection so we have something reproducible to work from.

I’ve captured a pcap related to the record
{“ts”:1665626549.967236,“uid”:“CIX7xI5N9VwBcRQEa”,“id.orig_h”:“xx.xx.xx.xx”,“id.orig_p”:35301,“id.resp_h”:“xx.xx.xx.xx”,“id.resp_p”:22,“auth_attempts”:0,“direction”:“OUTBOUND”,“client”:“SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515”}

It seems that after the version exchange is completed, the tcp connection is disconnected, and then the SSH connection is resumed, and Zeek seems not capture the later one.
By the way, there are a lot of traffic generated by connections established before I monitor, and that cannot raise the ssh_encryped_packet() event.

That snippet shows multiple separate connections. The first one only sends a Client Version. The second has a full handshake. Neither corresponds to the record you mention, which uses a client port of 35301.

If the IP addresses are sensitive, you could look into using a tool to rewrite them so you can share the pcap itself (I used to use “tcpdpriv” for this, though surely there are better replacements available now, I just don’t know them offhand). We really do need a pcap, rather than a screen shot, so we can try to reproduce the problem you’re seeing.

Hi Vern,
Sorry it took so long to reply, I tried to use zeek’s cmd to run some scripted directly, the SSH related event was successfully raised. Howerver, when I used the zeekctl and deployed the scripts, they acted like what I said before. I read the zeekctl.cfg already but couldn’t find any reasons related. What could be wrong with this?