suricata
detect-ssh-proto-version.c File Reference
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-ssh.h"
#include "detect-ssh-proto-version.h"
#include "stream-tcp.h"
#include "stream-tcp-reassemble.h"
Include dependency graph for detect-ssh-proto-version.c:

Go to the source code of this file.

Macros

#define PARSE_REGEX   "^\\s*\"?\\s*([0-9]+([\\.\\-0-9]+)?|2_compat)\\s*\"?\\s*$"
 Regex for parsing the protoversion string. More...
 
#define MAX_SUBSTRINGS   30
 

Functions

void DetectSshVersionRegister (void)
 Registration function for keyword: ssh.protoversion. More...
 

Detailed Description

Author
Pablo Rincon pablo.nosp@m..rin.nosp@m.con.c.nosp@m.resp.nosp@m.o@gma.nosp@m.il.c.nosp@m.om

Implements the ssh.protoversion keyword You can specify a concrete version like ssh.protoversion: 1.66 or search for protoversion 2 compat (1.99 is considered as 2) like ssh.protoversion:2_compat or just the beginning of the string like ssh.protoversion:"1."

Definition in file detect-ssh-proto-version.c.

Macro Definition Documentation

#define MAX_SUBSTRINGS   30
#define PARSE_REGEX   "^\\s*\"?\\s*([0-9]+([\\.\\-0-9]+)?|2_compat)\\s*\"?\\s*$"

Regex for parsing the protoversion string.

Definition at line 60 of file detect-ssh-proto-version.c.

Referenced by DetectSshVersionRegister().

Function Documentation

void DetectSshVersionRegister ( void  )

Registration function for keyword: ssh.protoversion.

Definition at line 76 of file detect-ssh-proto-version.c.

References Flow_::alproto, ALPROTO_SSH, Flow_::alstate, AppLayerParserParse(), AppLayerParserThreadCtxAlloc(), AppLayerParserThreadCtxFree(), SigTableElmt_::AppLayerTxMatch, SshState_::cli_hdr, SigMatch_::ctx, DE_QUIET, SigTableElmt_::desc, DETECT_AL_SSH_PROTOVERSION, DetectBufferTypeRegister(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), DetectSetupParseRegexes(), DetectSignatureSetAppProto(), DOC_URL, DOC_VERSION, FAIL_IF, FAIL_IF_NULL, DetectSshVersionData_::flags, flags, SshHeader_::flags, Packet_::flags, DetectEngineCtx_::flags, SigTableElmt_::flags, Packet_::flow, FLOW_DESTROY, FLOW_INITIALIZE, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOSERVER, Packet_::flowflags, FLOWLOCK_UNLOCK, FLOWLOCK_WRLOCK, SigTableElmt_::Free, DetectSshVersionData_::len, m, MAX_SUBSTRINGS, SigTableElmt_::name, PacketAlertCheck(), PARSE_REGEX, PASS, PKT_HAS_FLOW, PKT_STREAM_EST, Flow_::proto, SshHeader_::proto_version, Flow_::protoctx, SigTableElmt_::RegisterTests, res, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_MATCH, SCEnter, SCFree, SCLogDebug, SCLogError, SCMalloc, SCReturnInt, SCStrdup, SigTableElmt_::Setup, DetectEngineCtx_::sig_list, SigCleanSignatures(), SigGroupBuild(), SigGroupCleanup(), SigInit(), SIGMATCH_QUOTES_OPTIONAL, sigmatch_table, SigMatchAlloc(), SigMatchAppendSMToList(), SigMatchSignatures(), SshState_::srv_hdr, SSH_FLAG_PROTOVERSION_2_COMPAT, SSH_FLAG_VERSION_PARSED, str, STREAM_TOCLIENT, STREAM_TOSERVER, StreamTcpFreeConfig(), StreamTcpInitConfig(), TRUE, SigMatch_::type, unlikely, SigTableElmt_::url, UTHBuildPacket(), UTHFreePackets(), UtRegisterTest(), and DetectSshVersionData_::ver.

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function: