[Bro] SSH-enhancement
Seth Hall
seth at icir.org
Thu Mar 8 09:14:18 PST 2012
On Mar 8, 2012, at 11:56 AM, Arne Wirtz wrote:
> I have 2 questions :
> 1 ) is it possible to change the logging in a more ascii style the way
> the first two exchanged packets are logged ? ( I tested different
> options for the ContentAnalyzer from ContentLine.cc, e.g.
> SetPlainDelivery and SetCRLFAsEOL, but all I got was hex style logging
> for the first packets. )
I'm a little unclear about the changes you made. If you could work with our repository and send us a diff that would be much more helpful. I do think that part of your problem is that you aren't actually parsing those fields. You're just shoving the data after the version exchange into a string but there is a lot of structure to it which you are just directly including in your output.
> 2 ) I think the delivered data are not all there is, wireshark shows
> more package content, am I missing something ?
It's funny that you are looking into this. I've been planning on overhauling the SSH analyzer very soon myself. I was going to turn the whole analyzer into a binpac based analyzer and my plan was to extract a lot more data than is currently extracted. It should address what you are trying to do at least.
�
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list