Hi all,
I'm currently working on capturing and logging of further SSH-traffic to analyze used kex-algorithms:
the negotiation which algorithm to use directly after the initial message, e.g. the Client send a SSH-Version-CLIENT - request to the server, the server answers with a SSH-Version-SERVER and directly afterwards the available kex-algorithms are exchanged.
So I enhanced the SSH.cc (src/SSH.cc) and began logging. The log output:
192.168.1.50 59521 192.168.1.51 22 failure INBOUND SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 SSH-2.0-OpenSSH_5.8 \x16\x04\xd3\xef\x82\xa6/\x07\xb4\xecZA\xb5{\x98\xea\xee\x99\x7f\x04\xfe\xd8"\x9b{\xaf\x86\xbd\xd0\xe6y\x09\x1b\x0b\x9dg\xe7*a\x96\xc0\x09U\x89\xaf\xe5S\x0eoO\xfbD%x\xc4\x11\xda\x08\xc8qca\xffZ\x096\xe2rcZ#I"\x1f/?\xdfo\xdf\x88q\xf7\xb2\x0f\xc3\x99\xbf
\xbe\xdd\x99\xf6\xec\x92\xbd~\xbb\x04\x91\xba\xcbIafi\xcf\xf6'I\x81|\xda!\xc4\xd7\x1c%9b\xf8\xe5\xaf\xc2\xfd}w\x87\xa0\xf5\xe4\xa3k\x91-\xc0qY\x0e\x84\xd9\x1ah\x19\x9e\xf5\xfc\xa52\x89n\xda\xee\x08\x0f\xfb\xde\xfbA*\xbd\x82\xfd\x17\x9f\xc6\xba\x04\x91\xcb\x86\xdb\x0e\xaa\xc26\x82
k\xd8%cU\x89\xbe\x10\x90kb\xc9\xe7A/sR:\x0a\x82\xa2\xe7\xb1c\xb6@\xcd\xcd\xa20T\xfe\xf2e\xaf\x8b\x04\xbc\xd3\xbb\x98\x84p\x97\x9c[\xfc\xed\x1a\xa5?W\x85\x9d;\xdf\x81\xf6\x03\xe8d\xeaWA*9\xf8\xc6 1999 - - - - -
the relevant SSH.cc:
SSH_Analyzer::SSH_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::SSH, c)
{
state = 0; //these two are global
key = "";
orig = new ContentLine_Analyzer(c, true);
orig->SetSkipPartial(false);
orig->SetCRLFAsEOL(LF_as_EOL);
AddSupportAnalyzer(orig);
resp = new ContentLine_Analyzer(c, false);
resp->SetSkipPartial(false);
resp->SetCRLFAsEOL(LF_as_EOL);
AddSupportAnalyzer(resp);
}
void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
{
TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
state=state+1;
if (state < 3)
{
//here is the part with the ssh_server_version and ssh_client_version, I left it out because it works
}
else
{
if (TCP())
{
event = ssh_add3;
char tmp[length+strlen(key)];
memcpy (tmp,key,strlen(key));
memcpy (tmp,data,length); // here I concatenate old string with the new data and override the old data in the log
key = tmp;
StringVal* kex = new StringVal(key);
val_list* vl = new val_list;
vl->append(BuildConnVal());
vl->append(kex);
ConnectionEvent(event, vl);
return;
}
}
I have 2 questions :
1 ) is it possible to change the logging in a more ascii style the way the first two exchanged packets are logged ? ( I tested different options for the ContentAnalyzer from ContentLine.cc, e.g. SetPlainDelivery and SetCRLFAsEOL, but all I got was hex style logging for the first packets. )
2 ) I think the delivered data are not all there is, wireshark shows more package content, am I missing something ?
Thanks for all your help,
Arne