Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SSH Analyzer Skipping Some Encrypted Messages #566
The first encrypted message of an SSH session is not processed if it is included in a packet which also includes an SSH DH message or NewKeys message. This means the
In the pcap named ssh_server_sends_first_enc_pkt_with_newkeys.pcap the server sends its DH reply, NewKeys, and an encrypted message (the first of the session) all in the same packet (packet 12). The encrypted message is not processed by Zeek's SSH analyzer as is expected. The first encrypted packet processed by Zeek's SSH protocol analyzer is packet 15.
In the pcap named ssh_client_sends_first_enc_pkt_with_newkeys.pcap, the client includes an encrypted message (the first of the session) in the packet carrying its NewKeys message (packet 13). Yet, the first encrypted message processed by Zeek's protocol analyzer is packet 15.
This bug can be demonstrated via the following script:
Output of the script when run on the attached pcaps.
In both cases, the first encrypted packet to raise the
Yeah, looks like we're not raising
(A technicality that's maybe interesting to keep in mind is that this event has "packet" in the name, but maybe really ought to be thought of as "segment" due to the way it's currently raised using the length of data pertaining to reassembled TCP segments being fed into the analyzer, which may end up actually spanning multiple packets, like in the case we're filling in a previous gap).