@@ -11,46 +11,48 @@ Summary
1111~~~~~~~
1212Events
1313######
14- ==================================================== ==================================================================
15- :zeek:id: `ssh1_server_host_key `: :zeek:type: `event ` During the :abbr: `SSH ( Secure Shell ) ` key exchange, the server
16- supplies its public host key.
17- :zeek:id: `ssh2_dh_gex_init `: :zeek:type: `event ` Generated if the connection uses a Diffie-Hellman Group Exchange
18- key exchange method.
19- :zeek:id: `ssh2_dh_server_params `: :zeek:type: `event ` Generated if the connection uses a Diffie-Hellman Group Exchange
20- key exchange method.
21- :zeek:id: `ssh2_ecc_init `: :zeek:type: `event ` The :abbr: `ECDH ( Elliptic Curve Diffie-Hellman ) ` and
22- :abbr: `ECMQV ( Elliptic Curve Menezes-Qu-Vanstone ) ` key exchange
23- algorithms use two ephemeral key pairs to generate a shared
24- secret.
25- :zeek:id: `ssh2_ecc_key `: :zeek:type: `event ` The :abbr: `ECDH ( Elliptic Curve Diffie-Hellman ) ` and
26- :abbr: `ECMQV ( Elliptic Curve Menezes-Qu-Vanstone ) ` key exchange
27- algorithms use two ephemeral key pairs to generate a shared
28- secret.
29- :zeek:id: `ssh2_gss_error `: :zeek:type: `event ` In the event of a GSS-API error on the server, the server MAY send
30- send an error message with some additional details.
31- :zeek:id: `ssh2_gss_init `: :zeek:type: `event ` In the event of a GSS-API key exchange, this event is raised on
32- SSH_MSG_KEXGSS_INIT message.
33- :zeek:id: `ssh2_rsa_secret `: :zeek:type: `event ` In the event of a GSS-API key exchange, this event is raised on
34- SSH_MSG_KEXRSA_PUBKEY message.
35- :zeek:id: `ssh2_server_host_key `: :zeek:type: `event ` During the :abbr: `SSH ( Secure Shell ) ` key exchange, the server
36- supplies its public host key.
37- :zeek:id: `ssh_auth_attempted `: :zeek:type: `event ` This event is generated when an :abbr: `SSH ( Secure Shell ) `
38- connection was determined to have had an authentication attempt.
39- :zeek:id: `ssh_auth_successful `: :zeek:type: `event ` This event is generated when an :abbr: `SSH ( Secure Shell ) `
40- connection was determined to have had a successful
41- authentication.
42- :zeek:id: `ssh_capabilities `: :zeek:type: `event ` During the initial :abbr: `SSH ( Secure Shell ) ` key exchange, each
43- endpoint lists the algorithms that it supports, in order of
44- preference.
45- :zeek:id: `ssh_client_version `: :zeek:type: `event ` An :abbr: `SSH ( Secure Shell ) ` Protocol Version Exchange message
46- from the client.
47- :zeek:id: `ssh_encrypted_packet `: :zeek:type: `event ` This event is generated when an :abbr: `SSH ( Secure Shell ) `
48- encrypted packet is seen.
49- :zeek:id: `ssh_server_host_key `: :zeek:type: `event ` During the :abbr: `SSH ( Secure Shell ) ` key exchange, the server
50- supplies its public host key.
51- :zeek:id: `ssh_server_version `: :zeek:type: `event ` An :abbr: `SSH ( Secure Shell ) ` Protocol Version Exchange message
52- from the server.
53- ==================================================== ==================================================================
14+ ========================================================= ==================================================================
15+ :zeek:id: `ssh1_server_host_key `: :zeek:type: `event ` During the :abbr: `SSH ( Secure Shell ) ` key exchange, the server
16+ supplies its public host key.
17+ :zeek:id: `ssh2_dh_gex_init `: :zeek:type: `event ` Generated if the connection uses a Diffie-Hellman Group Exchange
18+ key exchange method.
19+ :zeek:id: `ssh2_dh_server_params `: :zeek:type: `event ` Generated if the connection uses a Diffie-Hellman Group Exchange
20+ key exchange method.
21+ :zeek:id: `ssh2_ecc_init `: :zeek:type: `event ` The :abbr: `ECDH ( Elliptic Curve Diffie-Hellman ) ` and
22+ :abbr: `ECMQV ( Elliptic Curve Menezes-Qu-Vanstone ) ` key exchange
23+ algorithms use two ephemeral key pairs to generate a shared
24+ secret.
25+ :zeek:id: `ssh2_ecc_key `: :zeek:type: `event ` The :abbr: `ECDH ( Elliptic Curve Diffie-Hellman ) ` and
26+ :abbr: `ECMQV ( Elliptic Curve Menezes-Qu-Vanstone ) ` key exchange
27+ algorithms use two ephemeral key pairs to generate a shared
28+ secret.
29+ :zeek:id: `ssh2_gss_error `: :zeek:type: `event ` In the event of a GSS-API error on the server, the server MAY send
30+ send an error message with some additional details.
31+ :zeek:id: `ssh2_gss_init `: :zeek:type: `event ` In the event of a GSS-API key exchange, this event is raised on
32+ SSH_MSG_KEXGSS_INIT message.
33+ :zeek:id: `ssh2_rsa_secret `: :zeek:type: `event ` In the event of a GSS-API key exchange, this event is raised on
34+ SSH_MSG_KEXRSA_PUBKEY message.
35+ :zeek:id: `ssh2_server_host_key `: :zeek:type: `event ` During the :abbr: `SSH ( Secure Shell ) ` key exchange, the server
36+ supplies its public host key.
37+ :zeek:id: `ssh_auth_attempted `: :zeek:type: `event ` This event is generated when an :abbr: `SSH ( Secure Shell ) `
38+ connection was determined to have had an authentication attempt.
39+ :zeek:id: `ssh_auth_successful `: :zeek:type: `event ` This event is generated when an :abbr: `SSH ( Secure Shell ) `
40+ connection was determined to have had a successful
41+ authentication.
42+ :zeek:id: `ssh_capabilities `: :zeek:type: `event ` During the initial :abbr: `SSH ( Secure Shell ) ` key exchange, each
43+ endpoint lists the algorithms that it supports, in order of
44+ preference.
45+ :zeek:id: `ssh_client_version `: :zeek:type: `event ` An :abbr: `SSH ( Secure Shell ) ` Protocol Version Exchange message
46+ from the client.
47+ :zeek:id: `ssh_encrypted_packet `: :zeek:type: `event ` This event is generated when an :abbr: `SSH ( Secure Shell ) `
48+ encrypted packet is seen.
49+ :zeek:id: `ssh_server_host_key `: :zeek:type: `event ` During the :abbr: `SSH ( Secure Shell ) ` key exchange, the server
50+ supplies its public host key.
51+ :zeek:id: `ssh_server_pre_banner_data `: :zeek:type: `event ` SSH servers can send textual data to the client before sending
52+ a banner.
53+ :zeek:id: `ssh_server_version `: :zeek:type: `event ` An :abbr: `SSH ( Secure Shell ) ` Protocol Version Exchange message
54+ from the server.
55+ ========================================================= ==================================================================
5456
5557
5658Detailed Interface
@@ -478,6 +480,27 @@ Events
478480 ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
479481 ssh2_gss_init ssh2_rsa_secret
480482
483+ .. zeek :id :: ssh_server_pre_banner_data
484+ :source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 372 372
485+
486+ :Type: :zeek:type: `event ` (c: :zeek:type: `connection `, data: :zeek:type: `string `)
487+
488+ SSH servers can send textual data to the client before sending
489+ a banner. The primary use case of this are error messages of TCP
490+ wrappers.
491+
492+ As this event happens before the SSH banner is exchanged, it is
493+ possible that it contains data from different protocols; e.g. if
494+ an SSH client connects to a non-SSH-server.
495+
496+
497+ :param c: The connection.
498+
499+
500+ :param data: The pre-banner data.
501+
502+ .. zeek :see :: ssh_server_version
503+
481504zeek :id :: ssh_server_version
482505:source-code: base/bif/plugins/Zeek_SSH.events.bif.zeek 19 19
483506
@@ -499,6 +522,6 @@ Events
499522 ssh_capabilities ssh2_server_host_key ssh1_server_host_key
500523 ssh_server_host_key ssh_encrypted_packet ssh2_dh_server_params
501524 ssh2_gss_error ssh2_ecc_key ssh2_ecc_init ssh2_dh_gex_init
502- ssh2_gss_init ssh2_rsa_secret
525+ ssh2_gss_init ssh2_rsa_secret ssh_server_pre_banner_data
503526
504527
0 commit comments