suricata
|
#include "suricata-common.h"
#include "threads.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-build.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-ssh.h"
#include "detect-ssh-software-version.h"
#include "rust.h"
#include "stream-tcp.h"
#include "detect-engine-alert.h"
#include "stream-tcp-reassemble.h"
#include "stream-tcp-util.h"
Go to the source code of this file.
Macros | |
#define | PARSE_REGEX "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$" |
Regex for parsing the softwareversion string. More... | |
Functions | |
void | DetectSshSoftwareVersionRegister (void) |
Registration function for keyword: ssh.softwareversion. More... | |
Implements the ssh.softwareversion keyword You can match over the software version string of ssh, and it will be compared from the beginning of the string so you can say for example ssh.softwareversion:"PuTTY" and it can match, or you can also specify the version, something like ssh.softwareversion:"PuTTY-Release-0.55" I find this useful to match over a known vulnerable server/client software version in combination to other checks, so you can know that the risk is higher
Definition in file detect-ssh-software-version.c.
#define PARSE_REGEX "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$" |
Regex for parsing the softwareversion string.
Definition at line 66 of file detect-ssh-software-version.c.
void DetectSshSoftwareVersionRegister | ( | void | ) |
Registration function for keyword: ssh.softwareversion.
Definition at line 83 of file detect-ssh-software-version.c.
References SigTableElmt_::AppLayerTxMatch, SigTableElmt_::desc, DETECT_AL_SSH_SOFTWAREVERSION, SigTableElmt_::name, sigmatch_table, and SigTableElmt_::url.
Referenced by SigTableSetup().