SSH-enhancement

Zeek
1

Hi all,

I'm currently working on capturing and logging of further SSH-traffic to analyze used kex-algorithms:

the negotiation which algorithm to use directly after the initial message, e.g. the Client send a SSH-Version-CLIENT - request to the server, the server answers with a SSH-Version-SERVER and directly afterwards the available kex-algorithms are exchanged.

So I enhanced the SSH.cc (src/SSH.cc) and began logging. The log output:

    192.168.1.50 59521 192.168.1.51 22 failure INBOUND SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 SSH-2.0-OpenSSH_5.8 \x16\x04\xd3\xef\x82\xa6/\x07\xb4\xecZA\xb5{\x98\xea\xee\x99\x7f\x04\xfe\xd8"\x9b{\xaf\x86\xbd\xd0\xe6y\x09\x1b\x0b\x9dg\xe7*a\x96\xc0\x09U\x89\xaf\xe5S\x0eoO\xfbD%x\xc4\x11\xda\x08\xc8qca\xffZ\x096\xe2rcZ#I"\x1f/?\xdfo\xdf\x88q\xf7\xb2\x0f\xc3\x99\xbf
\xbe\xdd\x99\xf6\xec\x92\xbd~\xbb\x04\x91\xba\xcbIafi\xcf\xf6'I\x81|\xda!\xc4\xd7\x1c%9b\xf8\xe5\xaf\xc2\xfd}w\x87\xa0\xf5\xe4\xa3k\x91-\xc0qY\x0e\x84\xd9\x1ah\x19\x9e\xf5\xfc\xa52\x89n\xda\xee\x08\x0f\xfb\xde\xfbA*\xbd\x82\xfd\x17\x9f\xc6\xba\x04\x91\xcb\x86\xdb\x0e\xaa\xc26\x82
k\xd8%cU\x89\xbe\x10\x90kb\xc9\xe7A/sR:\x0a\x82\xa2\xe7\xb1c\xb6@\xcd\xcd\xa20T\xfe\xf2e\xaf\x8b\x04\xbc\xd3\xbb\x98\x84p\x97\x9c[\xfc\xed\x1a\xa5?W\x85\x9d;\xdf\x81\xf6\x03\xe8d\xeaWA*9\xf8\xc6 1999 - - - - -

the relevant SSH.cc:

SSH_Analyzer::SSH_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::SSH, c)
         {
         state = 0; //these two are global
         key = "";
         orig = new ContentLine_Analyzer(c, true);
         orig->SetSkipPartial(false);
         orig->SetCRLFAsEOL(LF_as_EOL);
         AddSupportAnalyzer(orig);

         resp = new ContentLine_Analyzer(c, false);
         resp->SetSkipPartial(false);
         resp->SetCRLFAsEOL(LF_as_EOL);
         AddSupportAnalyzer(resp);

}

void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
         {
         TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);

          state=state+1;

         if (state < 3)
            {
             //here is the part with the ssh_server_version and ssh_client_version, I left it out because it works
            }
         else
           {
                 if (TCP())
                 {
                         event = ssh_add3;
                         char tmp[length+strlen(key)];
                         memcpy (tmp,key,strlen(key));
                         memcpy (tmp,data,length); // here I concatenate old string with the new data and override the old data in the log
                         key = tmp;
                         StringVal* kex = new StringVal(key);
                         val_list* vl = new val_list;
                         vl->append(BuildConnVal());
                         vl->append(kex);
                         ConnectionEvent(event, vl);
                         return;
                 }
         }

I have 2 questions :
1 ) is it possible to change the logging in a more ascii style the way the first two exchanged packets are logged ? ( I tested different options for the ContentAnalyzer from ContentLine.cc, e.g. SetPlainDelivery and SetCRLFAsEOL, but all I got was hex style logging for the first packets. )
2 ) I think the delivered data are not all there is, wireshark shows more package content, am I missing something ?

Thanks for all your help,

Arne

2

I have 2 questions :
1 ) is it possible to change the logging in a more ascii style the way
the first two exchanged packets are logged ? ( I tested different
options for the ContentAnalyzer from ContentLine.cc, e.g.
SetPlainDelivery and SetCRLFAsEOL, but all I got was hex style logging
for the first packets. )

I'm a little unclear about the changes you made. If you could work with our repository and send us a diff that would be much more helpful. I do think that part of your problem is that you aren't actually parsing those fields. You're just shoving the data after the version exchange into a string but there is a lot of structure to it which you are just directly including in your output.

2 ) I think the delivered data are not all there is, wireshark shows
more package content, am I missing something ?

It's funny that you are looking into this. I've been planning on overhauling the SSH analyzer very soon myself. I was going to turn the whole analyzer into a binpac based analyzer and my plan was to extract a lot more data than is currently extracted. It should address what you are trying to do at least.

  .Seth