suricata
detect-ssh-software-version.c File Reference
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-ssh.h"
#include "detect-ssh-software-version.h"
#include "stream-tcp.h"
#include "stream-tcp-reassemble.h"
Include dependency graph for detect-ssh-software-version.c:

Go to the source code of this file.

Macros

#define PARSE_REGEX   "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$"
 Regex for parsing the softwareversion string. More...
 
#define MAX_SUBSTRINGS   30
 

Functions

void DetectSshSoftwareVersionRegister (void)
 Registration function for keyword: ssh.softwareversion. More...
 

Detailed Description

Author
Pablo Rincon pablo.nosp@m..rin.nosp@m.con.c.nosp@m.resp.nosp@m.o@gma.nosp@m.il.c.nosp@m.om

Implements the ssh.softwareversion keyword You can match over the software version string of ssh, and it will be compared from the beginning of the string so you can say for example ssh.softwareversion:"PuTTY" and it can match, or you can also specify the version, something like ssh.softwareversion:"PuTTY-Release-0.55" I find this useful to match over a known vulnerable server/client software version incombination to other checks, so you can know that the risk is higher

Definition in file detect-ssh-software-version.c.

Macro Definition Documentation

#define MAX_SUBSTRINGS   30
#define PARSE_REGEX   "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$"

Regex for parsing the softwareversion string.

Definition at line 64 of file detect-ssh-software-version.c.

Referenced by DetectSshSoftwareVersionRegister().

Function Documentation

void DetectSshSoftwareVersionRegister ( void  )

Registration function for keyword: ssh.softwareversion.

Definition at line 90 of file detect-ssh-software-version.c.

References Flow_::alproto, ALPROTO_SSH, Flow_::alstate, AppLayerParserParse(), AppLayerParserThreadCtxAlloc(), AppLayerParserThreadCtxFree(), SigTableElmt_::AppLayerTxMatch, SshState_::cli_hdr, SigMatch_::ctx, DE_QUIET, SigTableElmt_::desc, DETECT_AL_SSH_SOFTWAREVERSION, DetectAppLayerInspectEngineRegister(), DetectBufferTypeRegister(), DetectEngineCtxFree(), DetectEngineCtxInit(), DetectEngineThreadCtxDeinit(), DetectEngineThreadCtxInit(), DetectSetupParseRegexes(), DetectSignatureSetAppProto(), DOC_URL, DOC_VERSION, flags, SshHeader_::flags, Packet_::flags, DetectEngineCtx_::flags, SigTableElmt_::flags, Packet_::flow, FLOW_DESTROY, FLOW_INITIALIZE, FLOW_PKT_ESTABLISHED, FLOW_PKT_TOSERVER, Packet_::flowflags, FLOWLOCK_UNLOCK, FLOWLOCK_WRLOCK, SigTableElmt_::Free, DetectSshSoftwareVersionData_::len, m, MAX_SUBSTRINGS, SigTableElmt_::name, PacketAlertCheck(), PARSE_REGEX, PKT_HAS_FLOW, PKT_STREAM_EST, Flow_::proto, Flow_::protoctx, SigTableElmt_::RegisterTests, res, SC_ERR_PCRE_GET_SUBSTRING, SC_ERR_PCRE_MATCH, SCEnter, SCFree, SCLogDebug, SCLogError, SCMalloc, SCReturnInt, SCStrdup, SigTableElmt_::Setup, SIG_FLAG_TOCLIENT, SIG_FLAG_TOSERVER, DetectEngineCtx_::sig_list, SigCleanSignatures(), SigGroupBuild(), SigGroupCleanup(), SigInit(), SIGMATCH_QUOTES_OPTIONAL, sigmatch_table, SigMatchAlloc(), SigMatchAppendSMToList(), SigMatchSignatures(), DetectSshSoftwareVersionData_::software_ver, SshHeader_::software_version, SshState_::srv_hdr, SSH_FLAG_VERSION_PARSED, SSH_STATE_BANNER_DONE, str, STREAM_TOCLIENT, STREAM_TOSERVER, StreamTcpFreeConfig(), StreamTcpInitConfig(), TRUE, SigMatch_::type, unlikely, SigTableElmt_::url, UTHBuildPacket(), UTHFreePackets(), and UtRegisterTest().

Referenced by SigTableSetup().

Here is the call graph for this function:

Here is the caller graph for this function: