I’m currently working on capturing and logging of large amount of SSH-traffic using Zeek 5.0.2. But there’s a problem that I coudn’t get any details about SSH cipher in SSH.log, When I write my own scripts I found that every events except for SSH_server/client_version() in ssh module could not be triggered. What caused this problem?
At first I thought it might be me that didn’t load some necessary scripts，but when I looked into the SSH.log, it all looked this:
And I have monitored for couple of days and have received about thousands of ssh records, and none of them have any details about SSH-cipher.I haven’t made any changes to the file related to the ssh.log, so I am quite confused.
Thank you for your attention and look forward to your reply！
I’ve captured a pcap related to the record
It seems that after the version exchange is completed, the tcp connection is disconnected, and then the SSH connection is resumed, and Zeek seems not capture the later one.
By the way, there are a lot of traffic generated by connections established before I monitor, and that cannot raise the ssh_encryped_packet() event.
That snippet shows multiple separate connections. The first one only sends a Client Version. The second has a full handshake. Neither corresponds to the record you mention, which uses a client port of 35301.
If the IP addresses are sensitive, you could look into using a tool to rewrite them so you can share the pcap itself (I used to use “tcpdpriv” for this, though surely there are better replacements available now, I just don’t know them offhand). We really do need a pcap, rather than a screen shot, so we can try to reproduce the problem you’re seeing.
Sorry it took so long to reply, I tried to use zeek’s cmd to run some scripted directly, the SSH related event was successfully raised. Howerver, when I used the zeekctl and deployed the scripts, they acted like what I said before. I read the zeekctl.cfg already but couldn’t find any reasons related. What could be wrong with this?