[Bro-Dev] Weirdness with event ssh_capabilities

John Althouse john at alt.house
Tue Apr 24 14:57:19 PDT 2018

Take a look


In this instance, the client sent the Key Exchange Init packet first and
the server sent it's Key Exchange Init packet second. The client packet
actually contained the list of encryption algorithms seen here, but it's
being printed out when I specify is_server == T, it should be printed when
is_server == F, right?

It also looks like ssh_capabilities is only capturing details within the
first Key Exchange Init packet, whether that be the one from the server or
the client, and ignoring the second one.

So sometimes the server will send the KEI first, Bro captures that, then
the client sends it's KEI and it looks like Bro ignores it. Same thing
happens when it's the other way around. I want to be able to look at the
details in both KEI's.

Does this make sense? Does anyone know how this can be fixed or maybe I'm
doing something wrong here?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180424/1a2e7ae3/attachment.html 

More information about the bro-dev mailing list