Go to the documentation of this file.
61 #define PARSE_REGEX "^\\s*\"?\\s*([0-9]+([\\.\\-0-9]+)?|2_compat)\\s*\"?\\s*$"
66 Flow *, uint8_t,
void *,
void *,
70 static void DetectSshVersionRegisterTests(
void);
73 static int g_ssh_banner_list_id = 0;
109 Flow *f, uint8_t
flags,
void *state,
void *txv,
126 if (rs_ssh_tx_get_protocol(txv, &
protocol, &b_len,
flags) != 1)
132 SCLogDebug(
"looking for ssh protoversion 2 compat");
135 }
else if (b_len >= 4) {
136 if (memcmp(
protocol,
"1.99", 4) == 0) {
141 SCLogDebug(
"looking for ssh protoversion %s length %"PRIu16
"", ssh->
ver, ssh->
len);
142 if (b_len == ssh->
len) {
163 int ret = 0,
res = 0;
167 if (ret < 1 || ret > 3) {
174 res = pcre2_substring_get_bynumber(
175 parse_regex.
match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
184 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
191 if (strcmp(
"2_compat", str_ptr) == 0) {
193 SCLogDebug(
"will look for ssh protocol version 2 (2, 2.0, 1.99 that's considered as 2");
194 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
199 if (ssh->
ver == NULL) {
200 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
203 ssh->
len = strlen((
char *) ssh->
ver);
204 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
213 DetectSshVersionFree(
de_ctx, ssh);
237 ssh = DetectSshVersionParse(
de_ctx,
str);
248 sm->
ctx = (
void *)ssh;
255 DetectSshVersionFree(
de_ctx, ssh);
280 static int DetectSshVersionTestParse01 (
void)
283 ssh = DetectSshVersionParse(NULL,
"1.0");
284 if (ssh != NULL && strncmp((
char *) ssh->
ver,
"1.0", 3) == 0) {
285 DetectSshVersionFree(NULL, ssh);
296 static int DetectSshVersionTestParse02 (
void)
299 ssh = DetectSshVersionParse(NULL,
"2_compat");
301 DetectSshVersionFree(NULL, ssh);
312 static int DetectSshVersionTestParse03 (
void)
315 ssh = DetectSshVersionParse(NULL,
"2_com");
317 DetectSshVersionFree(NULL, ssh);
320 ssh = DetectSshVersionParse(NULL,
"");
322 DetectSshVersionFree(NULL, ssh);
325 ssh = DetectSshVersionParse(NULL,
".1");
327 DetectSshVersionFree(NULL, ssh);
330 ssh = DetectSshVersionParse(NULL,
"lalala");
332 DetectSshVersionFree(NULL, ssh);
344 static int DetectSshVersionTestDetect01(
void)
352 uint8_t sshbuf1[] =
"SSH-1.";
353 uint8_t sshbuf2[] =
"10-PuTTY_2.123" ;
354 uint8_t sshbuf3[] =
"\n";
355 uint8_t sshbuf4[] =
"whatever...";
357 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
358 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
360 memset(&
tv, 0x00,
sizeof(
tv));
368 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
371 f->
proto = IPPROTO_TCP;
382 memset(&th_v, 0,
sizeof(th_v));
396 for (
int i=0; i<4; i++) {
421 static int DetectSshVersionTestDetect02(
void)
429 uint8_t sshbuf1[] =
"SSH-1.99-Pu";
430 uint8_t sshbuf2[] =
"TTY_2.123" ;
431 uint8_t sshbuf3[] =
"\n";
432 uint8_t sshbuf4[] =
"whatever...";
434 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
435 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
437 memset(&
tv, 0x00,
sizeof(
tv));
445 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
448 f->
proto = IPPROTO_TCP;
459 memset(&th_v, 0,
sizeof(th_v));
473 for (
int i=0; i<4; i++) {
498 static int DetectSshVersionTestDetect03(
void)
506 uint8_t sshbuf1[] =
"SSH-1.";
507 uint8_t sshbuf2[] =
"7-PuTTY_2.123" ;
508 uint8_t sshbuf3[] =
"\n";
509 uint8_t sshbuf4[] =
"whatever...";
511 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
512 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
514 memset(&
tv, 0x00,
sizeof(
tv));
522 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
525 f->
proto = IPPROTO_TCP;
536 memset(&th_v, 0,
sizeof(th_v));
550 for (
int i=0; i<4; i++) {
577 static void DetectSshVersionRegisterTests(
void)
579 UtRegisterTest(
"DetectSshVersionTestParse01", DetectSshVersionTestParse01);
580 UtRegisterTest(
"DetectSshVersionTestParse02", DetectSshVersionTestParse02);
581 UtRegisterTest(
"DetectSshVersionTestParse03", DetectSshVersionTestParse03);
583 DetectSshVersionTestDetect01);
585 DetectSshVersionTestDetect02);
587 DetectSshVersionTestDetect03);
void DetectSshVersionRegister(void)
Registration function for keyword: ssh.protoversion.
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define SSH_FLAG_PROTOVERSION_2_COMPAT
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
int DetectParsePcreExec(DetectParseRegex *parse_regex, const char *str, int start_offset, int options)
void(* Free)(DetectEngineCtx *, void *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIGMATCH_QUOTES_OPTIONAL
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
@ DETECT_AL_SSH_PROTOVERSION
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
@ SC_ERR_PCRE_GET_SUBSTRING
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void StreamTcpUTInitInline(void)
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Per thread variable structure.
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Data structures and function prototypes for keeping state for the detection engine.
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UTHFreeFlow(Flow *flow)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void StreamTcpUTClearSession(TcpSession *ssn)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectBufferTypeRegister(const char *name)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
void StreamTcpUTSetupSession(TcpSession *ssn)
#define SIGMATCH_INFO_DEPRECATED
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
#define PARSE_REGEX
Regex for parsing the protoversion string.
AppProto alproto
application level protocol
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
void(* RegisterTests)(void)