Go to the documentation of this file.
61 #define PARSE_REGEX "^\\s*\"?\\s*([0-9]+([\\.\\-0-9]+)?|2_compat)\\s*\"?\\s*$"
66 Flow *, uint8_t,
void *,
void *,
70 static void DetectSshVersionRegisterTests(
void);
73 static int g_ssh_banner_list_id = 0;
109 Flow *f, uint8_t
flags,
void *state,
void *txv,
126 if (rs_ssh_tx_get_protocol(txv, &
protocol, &b_len,
flags) != 1)
132 SCLogDebug(
"looking for ssh protoversion 2 compat");
135 }
else if (b_len >= 4) {
136 if (memcmp(
protocol,
"1.99", 4) == 0) {
141 SCLogDebug(
"looking for ssh protoversion %s length %"PRIu16
"", ssh->
ver, ssh->
len);
142 if (b_len == ssh->
len) {
166 pcre2_match_data *match = NULL;
168 if (ret < 1 || ret > 3) {
169 SCLogError(
"invalid ssh.protoversion option");
175 res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
177 SCLogError(
"pcre2_substring_get_bynumber failed");
184 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
190 if (strcmp(
"2_compat", str_ptr) == 0) {
192 SCLogDebug(
"will look for ssh protocol version 2 (2, 2.0, 1.99 that's considered as 2");
193 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
198 if (ssh->
ver == NULL) {
199 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
202 ssh->
len = (uint16_t)strlen((
char *)ssh->
ver);
203 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
208 pcre2_match_data_free(match);
213 pcre2_match_data_free(match);
216 DetectSshVersionFree(
de_ctx, ssh);
239 ssh = DetectSshVersionParse(
de_ctx,
str);
247 g_ssh_banner_list_id) == NULL) {
254 DetectSshVersionFree(
de_ctx, ssh);
278 static int DetectSshVersionTestParse01 (
void)
281 ssh = DetectSshVersionParse(NULL,
"1.0");
284 DetectSshVersionFree(NULL, ssh);
293 static int DetectSshVersionTestParse02 (
void)
296 ssh = DetectSshVersionParse(NULL,
"2_compat");
298 DetectSshVersionFree(NULL, ssh);
307 static int DetectSshVersionTestParse03 (
void)
310 ssh = DetectSshVersionParse(NULL,
"2_com");
312 ssh = DetectSshVersionParse(NULL,
"");
314 ssh = DetectSshVersionParse(NULL,
".1");
316 ssh = DetectSshVersionParse(NULL,
"lalala");
327 static int DetectSshVersionTestDetect01(
void)
335 uint8_t sshbuf1[] =
"SSH-1.";
336 uint8_t sshbuf2[] =
"10-PuTTY_2.123" ;
337 uint8_t sshbuf3[] =
"\n";
338 uint8_t sshbuf4[] =
"whatever...";
340 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
341 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
343 memset(&
tv, 0x00,
sizeof(
tv));
351 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
354 f->
proto = IPPROTO_TCP;
365 memset(&th_v, 0,
sizeof(th_v));
379 for (
int i=0; i<4; i++) {
404 static int DetectSshVersionTestDetect02(
void)
412 uint8_t sshbuf1[] =
"SSH-1.99-Pu";
413 uint8_t sshbuf2[] =
"TTY_2.123" ;
414 uint8_t sshbuf3[] =
"\n";
415 uint8_t sshbuf4[] =
"whatever...";
417 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
418 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
420 memset(&
tv, 0x00,
sizeof(
tv));
428 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
431 f->
proto = IPPROTO_TCP;
442 memset(&th_v, 0,
sizeof(th_v));
456 for (
int i=0; i<4; i++) {
481 static int DetectSshVersionTestDetect03(
void)
489 uint8_t sshbuf1[] =
"SSH-1.";
490 uint8_t sshbuf2[] =
"7-PuTTY_2.123" ;
491 uint8_t sshbuf3[] =
"\n";
492 uint8_t sshbuf4[] =
"whatever...";
494 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
495 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
497 memset(&
tv, 0x00,
sizeof(
tv));
505 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
508 f->
proto = IPPROTO_TCP;
519 memset(&th_v, 0,
sizeof(th_v));
533 for (
int i=0; i<4; i++) {
560 static void DetectSshVersionRegisterTests(
void)
562 UtRegisterTest(
"DetectSshVersionTestParse01", DetectSshVersionTestParse01);
563 UtRegisterTest(
"DetectSshVersionTestParse02", DetectSshVersionTestParse02);
564 UtRegisterTest(
"DetectSshVersionTestParse03", DetectSshVersionTestParse03);
566 DetectSshVersionTestDetect01);
568 DetectSshVersionTestDetect02);
570 DetectSshVersionTestDetect03);
void DetectSshVersionRegister(void)
Registration function for keyword: ssh.protoversion.
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
#define SSH_FLAG_PROTOVERSION_2_COMPAT
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void(* Free)(DetectEngineCtx *, void *)
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIGMATCH_QUOTES_OPTIONAL
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
@ DETECT_AL_SSH_PROTOVERSION
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void StreamTcpUTInitInline(void)
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Per thread variable structure.
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Data structures and function prototypes for keeping state for the detection engine.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UTHFreeFlow(Flow *flow)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void StreamTcpUTClearSession(TcpSession *ssn)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectBufferTypeRegister(const char *name)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
void StreamTcpUTSetupSession(TcpSession *ssn)
#define SCLogError(...)
Macro used to log ERROR messages.
#define SIGMATCH_INFO_DEPRECATED
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
DetectEngineCtx * DetectEngineCtxInit(void)
#define PARSE_REGEX
Regex for parsing the protoversion string.
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
AppProto alproto
application level protocol
void(* RegisterTests)(void)