suricata
detect-ssh-proto-version.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  *
23  * Implements the ssh.protoversion keyword
24  * You can specify a concrete version like ssh.protoversion: 1.66
25  * or search for protoversion 2 compat (1.99 is considered as 2) like
26  * ssh.protoversion:2_compat
27  * or just the beginning of the string like ssh.protoversion:"1."
28  */
29 
30 #include "suricata-common.h"
31 #include "threads.h"
32 #include "debug.h"
33 #include "decode.h"
34 
35 #include "detect.h"
36 #include "detect-parse.h"
37 
38 #include "detect-engine.h"
39 #include "detect-engine-mpm.h"
40 #include "detect-engine-state.h"
41 
42 #include "flow.h"
43 #include "flow-var.h"
44 #include "flow-util.h"
45 
46 #include "util-debug.h"
47 #include "util-unittest.h"
48 #include "util-unittest-helper.h"
49 
50 #include "app-layer.h"
51 #include "app-layer-parser.h"
52 #include "app-layer-ssh.h"
54 
55 #include "stream-tcp.h"
56 
57 /**
58  * \brief Regex for parsing the protoversion string
59  */
60 #define PARSE_REGEX "^\\s*\"?\\s*([0-9]+([\\.\\-0-9]+)?|2_compat)\\s*\"?\\s*$"
61 
62 static pcre *parse_regex;
63 static pcre_extra *parse_regex_study;
64 
65 static int DetectSshVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
66  Flow *, uint8_t, void *, void *,
67  const Signature *, const SigMatchCtx *);
68 static int DetectSshVersionSetup (DetectEngineCtx *, Signature *, const char *);
69 static void DetectSshVersionRegisterTests(void);
70 static void DetectSshVersionFree(void *);
71 static int g_ssh_banner_list_id = 0;
72 
73 /**
74  * \brief Registration function for keyword: ssh.protoversion
75  */
77 {
78  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion";
79  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].desc = "match SSH protocol version";
80  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].url = DOC_URL DOC_VERSION "/rules/ssh-keywords.html#ssh-protoversion";
82  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
83  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree;
84  sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests;
86 
87  DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
88 
89  g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
90 }
91 
92 /**
93  * \brief match the specified version on a ssh session
94  *
95  * \param t pointer to thread vars
96  * \param det_ctx pointer to the pattern matcher thread
97  * \param p pointer to the current packet
98  * \param m pointer to the sigmatch that we will cast into DetectSshVersionData
99  *
100  * \retval 0 no match
101  * \retval 1 match
102  */
103 static int DetectSshVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
104  Flow *f, uint8_t flags, void *state, void *txv,
105  const Signature *s, const SigMatchCtx *m)
106 {
107  SCEnter();
108 
109  SCLogDebug("lets see");
110 
112  SshState *ssh_state = (SshState *)state;
113  if (ssh_state == NULL) {
114  SCLogDebug("no ssh state, no match");
115  SCReturnInt(0);
116  }
117 
118  int ret = 0;
119  if ((flags & STREAM_TOCLIENT) && (ssh_state->srv_hdr.flags & SSH_FLAG_VERSION_PARSED)) {
121  SCLogDebug("looking for ssh server protoversion 2 compat");
122  if (strncmp((char *) ssh_state->srv_hdr.proto_version, "2", 1) == 0 ||
123  strncmp((char *) ssh_state->srv_hdr.proto_version, "2.", 2) == 0 ||
124  strncmp((char *) ssh_state->srv_hdr.proto_version, "1.99", 4) == 0)
125  ret = 1;
126  } else {
127  SCLogDebug("looking for ssh server protoversion %s length %"PRIu16"", ssh->ver, ssh->len);
128  ret = (strncmp((char *) ssh_state->srv_hdr.proto_version, (char *) ssh->ver, ssh->len) == 0)? 1 : 0;
129  }
130  } else if ((flags & STREAM_TOSERVER) && (ssh_state->cli_hdr.flags & SSH_FLAG_VERSION_PARSED)) {
132  SCLogDebug("looking for client ssh client protoversion 2 compat");
133  if (strncmp((char *) ssh_state->cli_hdr.proto_version, "2", 1) == 0 ||
134  strncmp((char *) ssh_state->cli_hdr.proto_version, "2.", 2) == 0 ||
135  strncmp((char *) ssh_state->cli_hdr.proto_version, "1.99", 4) == 0)
136  ret = 1;
137  } else {
138  SCLogDebug("looking for ssh client protoversion %s length %"PRIu16"", ssh->ver, ssh->len);
139  ret = (strncmp((char *) ssh_state->cli_hdr.proto_version, (char *) ssh->ver, ssh->len) == 0)? 1 : 0;
140  }
141  }
142  SCReturnInt(ret);
143 }
144 
145 /**
146  * \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
147  *
148  * \param idstr Pointer to the user provided id option
149  *
150  * \retval id_d pointer to DetectSshVersionData on success
151  * \retval NULL on failure
152  */
153 static DetectSshVersionData *DetectSshVersionParse (const char *str)
154 {
155  DetectSshVersionData *ssh = NULL;
156  #define MAX_SUBSTRINGS 30
157  int ret = 0, res = 0;
158  int ov[MAX_SUBSTRINGS];
159 
160  ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
161  ov, MAX_SUBSTRINGS);
162 
163  if (ret < 1 || ret > 3) {
164  SCLogError(SC_ERR_PCRE_MATCH, "invalid ssh.protoversion option");
165  goto error;
166  }
167 
168  if (ret > 1) {
169  const char *str_ptr;
170  res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
171  if (res < 0) {
172  SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
173  goto error;
174  }
175 
176  /* We have a correct id option */
177  ssh = SCMalloc(sizeof(DetectSshVersionData));
178  if (unlikely(ssh == NULL))
179  goto error;
180 
181  memset(ssh, 0x00, sizeof(DetectSshVersionData));
182 
183  /* If we expect a protocol version 2 or 1.99 (considered 2, we
184  * will compare it with both strings) */
185  if (strcmp("2_compat", str_ptr) == 0) {
187  SCLogDebug("will look for ssh protocol version 2 (2, 2.0, 1.99 that's considered as 2");
188  return ssh;
189  }
190 
191  ssh->ver = (uint8_t *)SCStrdup((char*)str_ptr);
192  if (ssh->ver == NULL) {
193  goto error;
194  }
195  ssh->len = strlen((char *) ssh->ver);
196 
197  SCLogDebug("will look for ssh %s", ssh->ver);
198  }
199 
200  return ssh;
201 
202 error:
203  if (ssh != NULL)
204  DetectSshVersionFree(ssh);
205  return NULL;
206 
207 }
208 
209 /**
210  * \brief this function is used to add the parsed "id" option
211  * \brief into the current signature
212  *
213  * \param de_ctx pointer to the Detection Engine Context
214  * \param s pointer to the Current Signature
215  * \param idstr pointer to the user provided "id" option
216  *
217  * \retval 0 on Success
218  * \retval -1 on Failure
219  */
220 static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
221 {
222  DetectSshVersionData *ssh = NULL;
223  SigMatch *sm = NULL;
224 
226  return -1;
227 
228  ssh = DetectSshVersionParse(str);
229  if (ssh == NULL)
230  goto error;
231 
232  /* Okay so far so good, lets get this into a SigMatch
233  * and put it in the Signature. */
234  sm = SigMatchAlloc();
235  if (sm == NULL)
236  goto error;
237 
239  sm->ctx = (void *)ssh;
240 
241  SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
242  return 0;
243 
244 error:
245  if (ssh != NULL)
246  DetectSshVersionFree(ssh);
247  if (sm != NULL)
248  SCFree(sm);
249  return -1;
250 
251 }
252 
253 /**
254  * \brief this function will free memory associated with DetectSshVersionData
255  *
256  * \param id_d pointer to DetectSshVersionData
257  */
258 void DetectSshVersionFree(void *ptr)
259 {
261  SCFree(id_d);
262 }
263 
264 #ifdef UNITTESTS /* UNITTESTS */
265 
266 /**
267  * \test DetectSshVersionTestParse01 is a test to make sure that we parse
268  * a proto version correctly
269  */
270 static int DetectSshVersionTestParse01 (void)
271 {
272  DetectSshVersionData *ssh = NULL;
273  ssh = DetectSshVersionParse("1.0");
274  if (ssh != NULL && strncmp((char *) ssh->ver, "1.0", 3) == 0) {
275  DetectSshVersionFree(ssh);
276  return 1;
277  }
278 
279  return 0;
280 }
281 
282 /**
283  * \test DetectSshVersionTestParse02 is a test to make sure that we parse
284  * the proto version (compatible with proto version 2) correctly
285  */
286 static int DetectSshVersionTestParse02 (void)
287 {
288  DetectSshVersionData *ssh = NULL;
289  ssh = DetectSshVersionParse("2_compat");
291  DetectSshVersionFree(ssh);
292  return 1;
293  }
294 
295  return 0;
296 }
297 
298 /**
299  * \test DetectSshVersionTestParse03 is a test to make sure that we
300  * don't return a ssh_data with an invalid value specified
301  */
302 static int DetectSshVersionTestParse03 (void)
303 {
304  DetectSshVersionData *ssh = NULL;
305  ssh = DetectSshVersionParse("2_com");
306  if (ssh != NULL) {
307  DetectSshVersionFree(ssh);
308  return 0;
309  }
310  ssh = DetectSshVersionParse("");
311  if (ssh != NULL) {
312  DetectSshVersionFree(ssh);
313  return 0;
314  }
315  ssh = DetectSshVersionParse(".1");
316  if (ssh != NULL) {
317  DetectSshVersionFree(ssh);
318  return 0;
319  }
320  ssh = DetectSshVersionParse("lalala");
321  if (ssh != NULL) {
322  DetectSshVersionFree(ssh);
323  return 0;
324  }
325 
326  return 1;
327 }
328 
329 
330 #include "stream-tcp-reassemble.h"
331 
332 /** \test Send a get request in three chunks + more data. */
333 static int DetectSshVersionTestDetect01(void)
334 {
335  Flow f;
336  uint8_t sshbuf1[] = "SSH-1.";
337  uint32_t sshlen1 = sizeof(sshbuf1) - 1;
338  uint8_t sshbuf2[] = "10-PuTTY_2.123" ;
339  uint32_t sshlen2 = sizeof(sshbuf2) - 1;
340  uint8_t sshbuf3[] = "\n";
341  uint32_t sshlen3 = sizeof(sshbuf3) - 1;
342  uint8_t sshbuf4[] = "whatever...";
343  uint32_t sshlen4 = sizeof(sshbuf4) - 1;
344  TcpSession ssn;
345  Packet *p = NULL;
346  Signature *s = NULL;
347  ThreadVars th_v;
348  DetectEngineThreadCtx *det_ctx = NULL;
350 
351  memset(&th_v, 0, sizeof(th_v));
352  memset(&f, 0, sizeof(f));
353  memset(&ssn, 0, sizeof(ssn));
354 
355  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
356  FAIL_IF_NULL(p);
357 
358  FLOW_INITIALIZE(&f);
359  f.protoctx = (void *)&ssn;
360  p->flow = &f;
364  f.alproto = ALPROTO_SSH;
365  f.proto = IPPROTO_TCP;
366 
368 
370  FAIL_IF_NULL (de_ctx);
371  de_ctx->flags |= DE_QUIET;
372 
373  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:1.10; sid:1;)");
374  FAIL_IF_NULL(s);
375 
376  SigGroupBuild(de_ctx);
377  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
378 
379  SCLogDebug("==> 1");
380  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH,
381  STREAM_TOSERVER, sshbuf1, sshlen1);
382  FAIL_IF(r != 0);
383 
384  SCLogDebug("==> 2");
385  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
386  sshbuf2, sshlen2);
387  FAIL_IF(r != 0);
388 
389  SCLogDebug("==> 3");
390  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
391  sshbuf3, sshlen3);
392  FAIL_IF(r != 0);
393 
394  SCLogDebug("==> 4");
395  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
396  sshbuf4, sshlen4);
397  FAIL_IF(r != 0);
398 
399  SshState *ssh_state = f.alstate;
400  FAIL_IF_NULL(ssh_state);
401 
402  /* do detect */
403  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
404 
405  FAIL_IF(!(PacketAlertCheck(p, 1)));
406 
407  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
408  DetectEngineCtxFree(de_ctx);
409 
411  FLOW_DESTROY(&f);
412  UTHFreePackets(&p, 1);
413  AppLayerParserThreadCtxFree(alp_tctx);
414 
415  PASS;
416 }
417 
418 /** \test Send a get request in three chunks + more data. */
419 static int DetectSshVersionTestDetect02(void)
420 {
421  int result = 0;
422  Flow f;
423  uint8_t sshbuf1[] = "SSH-1.";
424  uint32_t sshlen1 = sizeof(sshbuf1) - 1;
425  uint8_t sshbuf2[] = "99-PuTTY_2.123" ;
426  uint32_t sshlen2 = sizeof(sshbuf2) - 1;
427  uint8_t sshbuf3[] = "\n";
428  uint32_t sshlen3 = sizeof(sshbuf3) - 1;
429  uint8_t sshbuf4[] = "whatever...";
430  uint32_t sshlen4 = sizeof(sshbuf4) - 1;
431  TcpSession ssn;
432  Packet *p = NULL;
433  Signature *s = NULL;
434  ThreadVars th_v;
435  DetectEngineThreadCtx *det_ctx = NULL;
437 
438  memset(&th_v, 0, sizeof(th_v));
439  memset(&f, 0, sizeof(f));
440  memset(&ssn, 0, sizeof(ssn));
441 
442  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
443 
444  FLOW_INITIALIZE(&f);
445  f.protoctx = (void *)&ssn;
446  p->flow = &f;
450  f.alproto = ALPROTO_SSH;
451  f.proto = IPPROTO_TCP;
452 
454 
456  if (de_ctx == NULL) {
457  goto end;
458  }
459 
460  de_ctx->flags |= DE_QUIET;
461 
462  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
463  if (s == NULL) {
464  goto end;
465  }
466 
467  SigGroupBuild(de_ctx);
468  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
469 
470  FLOWLOCK_WRLOCK(&f);
471  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH,
472  STREAM_TOSERVER, sshbuf1, sshlen1);
473  if (r != 0) {
474  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
475  goto end;
476  }
477 
478  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
479  sshbuf2, sshlen2);
480  if (r != 0) {
481  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
482  FLOWLOCK_UNLOCK(&f);
483  goto end;
484  }
485 
486  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
487  sshbuf3, sshlen3);
488  if (r != 0) {
489  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
490  FLOWLOCK_UNLOCK(&f);
491  goto end;
492  }
493 
494  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
495  sshbuf4, sshlen4);
496  if (r != 0) {
497  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
498  FLOWLOCK_UNLOCK(&f);
499  goto end;
500  }
501  FLOWLOCK_UNLOCK(&f);
502 
503  SshState *ssh_state = f.alstate;
504  if (ssh_state == NULL) {
505  printf("no ssh state: ");
506  goto end;
507  }
508 
509  /* do detect */
510  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
511 
512  if ( !(PacketAlertCheck(p, 1))) {
513  printf("Error, the sig should match: ");
514  goto end;
515  }
516 
517  result = 1;
518 end:
519  SigGroupCleanup(de_ctx);
520  SigCleanSignatures(de_ctx);
521 
522  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
523  DetectEngineCtxFree(de_ctx);
524 
526  FLOW_DESTROY(&f);
527 
528  UTHFreePackets(&p, 1);
529  if (alp_tctx != NULL)
530  AppLayerParserThreadCtxFree(alp_tctx);
531  return result;
532 }
533 
534 /** \test Send a get request in three chunks + more data. */
535 static int DetectSshVersionTestDetect03(void)
536 {
537  int result = 0;
538  Flow f;
539  uint8_t sshbuf1[] = "SSH-1.";
540  uint32_t sshlen1 = sizeof(sshbuf1) - 1;
541  uint8_t sshbuf2[] = "7-PuTTY_2.123" ;
542  uint32_t sshlen2 = sizeof(sshbuf2) - 1;
543  uint8_t sshbuf3[] = "\n";
544  uint32_t sshlen3 = sizeof(sshbuf3) - 1;
545  uint8_t sshbuf4[] = "whatever...";
546  uint32_t sshlen4 = sizeof(sshbuf4) - 1;
547  TcpSession ssn;
548  Packet *p = NULL;
549  Signature *s = NULL;
550  ThreadVars th_v;
551  DetectEngineThreadCtx *det_ctx = NULL;
553 
554  memset(&th_v, 0, sizeof(th_v));
555  memset(&f, 0, sizeof(f));
556  memset(&ssn, 0, sizeof(ssn));
557 
558  p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
559 
560  FLOW_INITIALIZE(&f);
561  f.protoctx = (void *)&ssn;
562  p->flow = &f;
566  f.alproto = ALPROTO_SSH;
567  f.proto = IPPROTO_TCP;
568 
570 
572  if (de_ctx == NULL) {
573  goto end;
574  }
575 
576  de_ctx->flags |= DE_QUIET;
577 
578  s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
579  if (s == NULL) {
580  goto end;
581  }
582 
583  SigGroupBuild(de_ctx);
584  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
585 
586  FLOWLOCK_WRLOCK(&f);
587  int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH,
588  STREAM_TOSERVER, sshbuf1, sshlen1);
589  if (r != 0) {
590  printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
591  FLOWLOCK_UNLOCK(&f);
592  goto end;
593  }
594 
595  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
596  sshbuf2, sshlen2);
597  if (r != 0) {
598  printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
599  FLOWLOCK_UNLOCK(&f);
600  goto end;
601  }
602 
603  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
604  sshbuf3, sshlen3);
605  if (r != 0) {
606  printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
607  FLOWLOCK_UNLOCK(&f);
608  goto end;
609  }
610 
611  r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SSH, STREAM_TOSERVER,
612  sshbuf4, sshlen4);
613  if (r != 0) {
614  printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
615  FLOWLOCK_UNLOCK(&f);
616  goto end;
617  }
618  FLOWLOCK_UNLOCK(&f);
619 
620  SshState *ssh_state = f.alstate;
621  if (ssh_state == NULL) {
622  printf("no ssh state: ");
623  goto end;
624  }
625 
626  /* do detect */
627  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
628 
629  if (PacketAlertCheck(p, 1)) {
630  printf("Error, 1.7 version is not 2 compat, so the sig should not match: ");
631  goto end;
632  }
633 
634  result = 1;
635 end:
636  SigGroupCleanup(de_ctx);
637  SigCleanSignatures(de_ctx);
638 
639  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
640  DetectEngineCtxFree(de_ctx);
641 
643  FLOW_DESTROY(&f);
644 
645  UTHFreePackets(&p, 1);
646  if (alp_tctx != NULL)
647  AppLayerParserThreadCtxFree(alp_tctx);
648  return result;
649 }
650 
651 #endif /* UNITTESTS */
652 
653 /**
654  * \brief this function registers unit tests for DetectSshVersion
655  */
656 void DetectSshVersionRegisterTests(void)
657 {
658 #ifdef UNITTESTS /* UNITTESTS */
659  UtRegisterTest("DetectSshVersionTestParse01", DetectSshVersionTestParse01);
660  UtRegisterTest("DetectSshVersionTestParse02", DetectSshVersionTestParse02);
661  UtRegisterTest("DetectSshVersionTestParse03", DetectSshVersionTestParse03);
662  UtRegisterTest("DetectSshVersionTestDetect01",
663  DetectSshVersionTestDetect01);
664  UtRegisterTest("DetectSshVersionTestDetect02",
665  DetectSshVersionTestDetect02);
666  UtRegisterTest("DetectSshVersionTestDetect03",
667  DetectSshVersionTestDetect03);
668 #endif /* UNITTESTS */
669 }
670 
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect.h:1403
uint16_t flags
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1146
int(* AppLayerTxMatch)(ThreadVars *, DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Definition: detect.h:1132
SshHeader cli_hdr
Definition: app-layer-ssh.h:74
#define SCLogDebug(...)
Definition: util-debug.h:335
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
struct Flow_ * flow
Definition: decode.h:444
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
uint8_t proto
Definition: flow.h:346
#define FLOWLOCK_UNLOCK(fb)
Definition: flow.h:235
#define PASS
Pass the test.
#define unlikely(expr)
Definition: util-optimize.h:35
#define PARSE_REGEX
Regex for parsing the protoversion string.
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
uint8_t * proto_version
Definition: app-layer-ssh.h:60
Signature * sig_list
Definition: detect.h:726
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:195
void SigCleanSignatures(DetectEngineCtx *de_ctx)
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
#define FLOWLOCK_WRLOCK(fb)
Definition: flow.h:232
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
const char * name
Definition: detect.h:1160
Signature container.
Definition: detect.h:492
#define TRUE
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:319
void * protoctx
Definition: flow.h:398
main detection engine ctx
Definition: detect.h:720
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
void * alstate
Definition: flow.h:436
#define DE_QUIET
Definition: detect.h:298
#define str(s)
#define SSH_FLAG_VERSION_PARSED
Definition: app-layer-ssh.h:29
uint8_t flags
Definition: detect.h:721
SshHeader srv_hdr
Definition: app-layer-ssh.h:73
Data structures and function prototypes for keeping state for the detection engine.
void(* Free)(void *)
Definition: detect.h:1151
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define FLOW_DESTROY(f)
Definition: flow-util.h:115
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
void DetectSetupParseRegexes(const char *parse_str, pcre **parse_regex, pcre_extra **parse_regex_study)
#define SIGMATCH_QUOTES_OPTIONAL
Definition: detect.h:1340
#define SCEnter(...)
Definition: util-debug.h:337
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
uint8_t flowflags
Definition: decode.h:438
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
#define STREAM_TOCLIENT
Definition: stream.h:32
#define FLOW_PKT_TOSERVER
Definition: flow.h:193
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol&#39;s parser thread context.
int SigGroupCleanup(DetectEngineCtx *de_ctx)
uint8_t type
Definition: detect.h:325
#define SCReturnInt(x)
Definition: util-debug.h:341
void DetectSshVersionRegister(void)
Registration function for keyword: ssh.protoversion.
const char * desc
Definition: detect.h:1162
void SigMatchAppendSMToList(Signature *s, SigMatch *new, int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:282
int DetectBufferTypeRegister(const char *name)
uint8_t flags
Definition: app-layer-ssh.h:58
SigMatchCtx * ctx
Definition: detect.h:327
#define SCMalloc(a)
Definition: util-mem.h:174
#define SCFree(a)
Definition: util-mem.h:236
PoolThreadReserved res
#define SSH_FLAG_PROTOVERSION_2_COMPAT
const char * url
Definition: detect.h:1163
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
#define STREAM_TOSERVER
Definition: stream.h:31
SCMutex m
Definition: flow-hash.h:105
#define PKT_HAS_FLOW
Definition: decode.h:1101
#define SCStrdup(a)
Definition: util-mem.h:220
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
#define DOC_URL
Definition: suricata.h:86
SigMatch * SigMatchAlloc(void)
Definition: detect-parse.c:226
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:407
uint32_t flags
Definition: decode.h:442
#define DOC_VERSION
Definition: suricata.h:91
uint16_t flags
Definition: detect.h:1154
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Flow data structure.
Definition: flow.h:327
#define PKT_STREAM_EST
Definition: decode.h:1099
void(* RegisterTests)(void)
Definition: detect.h:1152
a single match condition for a signature
Definition: detect.h:324
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, uint8_t *input, uint32_t input_len)
DetectEngineCtx * DetectEngineCtxInit(void)
#define MAX_SUBSTRINGS