[Bro] SSH-enhancement

Arne Wirtz wirtz at in.tum.de
Thu Mar 8 08:56:55 PST 2012 

Hi all,

I'm currently working on capturing and logging of further SSH-traffic to 
analyze used kex-algorithms:

the negotiation which algorithm to use directly after the initial 
message, e.g. the Client send a SSH-Version-CLIENT - request to the 
server, the server answers with a SSH-Version-SERVER and directly 
afterwards the available kex-algorithms are exchanged.

So I enhanced the SSH.cc (src/SSH.cc) and began logging. The log output:

    192.168.1.50    59521   192.168.1.51    22      failure INBOUND 
SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1   SSH-2.0-OpenSSH_5.8     
\x16\x04\xd3\xef\x82\xa6/\x07\xb4\xecZA\xb5{\x98\xea\xee\x99\x7f\x04\xfe\xd8"\x9b{\xaf\x86\xbd\xd0\xe6y\x09\x1b\x0b\x9dg\xe7*a\x96\xc0\x09U\x89\xaf\xe5S\x0eoO\xfbD%x\xc4\x11\xda\x08\xc8qca\xffZ\x096\xe2rcZ#I"\x1f/?\xdfo\xdf\x88q\xf7\xb2\x0f\xc3\x99\xbf
\xbe\xdd\x99\xf6\xec\x92\xbd~\xbb\x04\x91\xba\xcbIafi\xcf\xf6'I\x81|\xda!\xc4\xd7\x1c%9b\xf8\xe5\xaf\xc2\xfd}w\x87\xa0\xf5\xe4\xa3k\x91-\xc0qY\x0e\x84\xd9\x1ah\x19\x9e\xf5\xfc\xa52\x89n\xda\xee\x08\x0f\xfb\xde\xfbA*\xbd\x82\xfd\x17\x9f\xc6\xba\x04\x91\xcb\x86\xdb\x0e\xaa\xc26\x82
k\xd8%cU\x89\xbe\x10\x90kb\xc9\xe7A/sR:\x0a\x82\xa2\xe7\xb1c\xb6@\xcd\xcd\xa20T\xfe\xf2e\xaf\x8b\x04\xbc\xd3\xbb\x98\x84p\x97\x9c[\xfc\xed\x1a\xa5?W\x85\x9d;\xdf\x81\xf6\x03\xe8d\xeaWA*9\xf8\xc6  
1999    -       -       -       -       -

the relevant SSH.cc:

SSH_Analyzer::SSH_Analyzer(Connection* c)
: TCP_ApplicationAnalyzer(AnalyzerTag::SSH, c)
         {
         state = 0; //these two are global
         key = "";
         orig = new ContentLine_Analyzer(c, true);
         orig->SetSkipPartial(false);
         orig->SetCRLFAsEOL(LF_as_EOL);
         AddSupportAnalyzer(orig);

         resp = new ContentLine_Analyzer(c, false);
         resp->SetSkipPartial(false);
         resp->SetCRLFAsEOL(LF_as_EOL);
         AddSupportAnalyzer(resp);

}

void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool 
is_orig)
         {
         TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);

          state=state+1;

         if (state < 3)
            {
             //here is the part with the ssh_server_version and 
ssh_client_version, I left it out because it works
            }
         else
           {
                 if (TCP())
                 {
                         event = ssh_add3;
                         char tmp[length+strlen(key)];
                         memcpy (tmp,key,strlen(key));
                         memcpy (tmp,data,length); // here I concatenate 
old string with the new data and override the old data in the log
                         key = tmp;
                         StringVal* kex = new StringVal(key);
                         val_list* vl = new val_list;
                         vl->append(BuildConnVal());
                         vl->append(kex);
                         ConnectionEvent(event, vl);
                         return;
                 }
         }


I have 2 questions :
1 ) is it possible to change the logging in a more ascii style the way 
the first two exchanged packets are logged ? ( I tested different 
options for the ContentAnalyzer from ContentLine.cc, e.g. 
SetPlainDelivery and SetCRLFAsEOL, but all I got was hex style logging 
for the first packets. )
2 ) I think the delivered data are not all there is, wireshark shows 
more package content, am I missing something ?

Thanks for all your help,

Arne

More information about the Bro mailing list