Take a look http://try.bro.org/#/trybro/saved/228251
In this instance, the client sent the Key Exchange Init packet first and the server sent it's Key Exchange Init packet second. The client packet actually contained the list of encryption algorithms seen here, but it's being printed out when I specify is_server == T, it should be printed when is_server == F, right? It also looks like ssh_capabilities is only capturing details within the first Key Exchange Init packet, whether that be the one from the server or the client, and ignoring the second one. So sometimes the server will send the KEI first, Bro captures that, then the client sends it's KEI and it looks like Bro ignores it. Same thing happens when it's the other way around. I want to be able to look at the details in both KEI's. Does this make sense? Does anyone know how this can be fixed or maybe I'm doing something wrong here? Thanks! John
_______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev