Go to the documentation of this file.
65 #define PARSE_REGEX "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$"
70 Flow *, uint8_t,
void *,
void *,
74 static void DetectSshSoftwareVersionRegisterTests(
void);
77 static int g_ssh_banner_list_id = 0;
119 Flow *f, uint8_t
flags,
void *state,
void *txv,
131 const uint8_t *software = NULL;
134 if (rs_ssh_tx_get_software(txv, &software, &b_len,
flags) != 1)
136 if (software == NULL || b_len == 0)
138 if (b_len == ssh->
len) {
162 pcre2_match_data *match = NULL;
165 if (ret < 1 || ret > 3) {
166 SCLogError(
"invalid ssh.softwareversion option");
171 const char *str_ptr = NULL;
172 res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
174 SCLogError(
"pcre2_substring_get_bynumber failed");
181 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
186 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
189 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
196 pcre2_match_data_free(match);
201 pcre2_match_data_free(match);
204 DetectSshSoftwareVersionFree(
de_ctx, ssh);
228 ssh = DetectSshSoftwareVersionParse(NULL,
str);
239 sm->
ctx = (
void *)ssh;
246 DetectSshSoftwareVersionFree(
de_ctx, ssh);
276 static int DetectSshSoftwareVersionTestParse01 (
void)
279 ssh = DetectSshSoftwareVersionParse(NULL,
"PuTTY_1.0");
280 if (ssh != NULL && strncmp((
char *) ssh->
software_ver,
"PuTTY_1.0", 9) == 0) {
281 DetectSshSoftwareVersionFree(NULL, ssh);
292 static int DetectSshSoftwareVersionTestParse02 (
void)
295 ssh = DetectSshSoftwareVersionParse(NULL,
"\"SecureCRT-4.0\"");
296 if (ssh != NULL && strncmp((
char *) ssh->
software_ver,
"SecureCRT-4.0", 13) == 0) {
297 DetectSshSoftwareVersionFree(NULL, ssh);
308 static int DetectSshSoftwareVersionTestParse03 (
void)
311 ssh = DetectSshSoftwareVersionParse(NULL,
"");
313 DetectSshSoftwareVersionFree(NULL, ssh);
325 static int DetectSshSoftwareVersionTestDetect01(
void)
333 uint8_t sshbuf1[] =
"SSH-1.";
334 uint8_t sshbuf2[] =
"10-PuTTY_2.123" ;
335 uint8_t sshbuf3[] =
"\n";
336 uint8_t sshbuf4[] =
"whatever...";
338 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
339 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
341 memset(&
tv, 0x00,
sizeof(
tv));
349 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
352 f->
proto = IPPROTO_TCP;
363 memset(&th_v, 0,
sizeof(th_v));
377 for (
int i=0; i<4; i++) {
402 static int DetectSshSoftwareVersionTestDetect02(
void)
410 uint8_t sshbuf1[] =
"SSH-1.99-Pu";
411 uint8_t sshbuf2[] =
"TTY_2.123" ;
412 uint8_t sshbuf3[] =
"\n";
413 uint8_t sshbuf4[] =
"whatever...";
415 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
416 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
418 memset(&
tv, 0x00,
sizeof(
tv));
426 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
429 f->
proto = IPPROTO_TCP;
440 memset(&th_v, 0,
sizeof(th_v));
454 for (
int i=0; i<4; i++) {
479 static int DetectSshSoftwareVersionTestDetect03(
void)
487 uint8_t sshbuf1[] =
"SSH-1.";
488 uint8_t sshbuf2[] =
"7-PuTTY_2.123" ;
489 uint8_t sshbuf3[] =
"\n";
490 uint8_t sshbuf4[] =
"whatever...";
492 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
493 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
495 memset(&
tv, 0x00,
sizeof(
tv));
503 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
506 f->
proto = IPPROTO_TCP;
517 memset(&th_v, 0,
sizeof(th_v));
531 for (
int i=0; i<4; i++) {
558 static void DetectSshSoftwareVersionRegisterTests(
void)
561 DetectSshSoftwareVersionTestParse01);
563 DetectSshSoftwareVersionTestParse02);
565 DetectSshSoftwareVersionTestParse03);
567 DetectSshSoftwareVersionTestDetect01);
569 DetectSshSoftwareVersionTestDetect02);
571 DetectSshSoftwareVersionTestDetect03);
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void SigMatchAppendSMToList(Signature *s, SigMatch *new, const int list)
Append a SigMatch to the list type.
void(* Free)(DetectEngineCtx *, void *)
void DetectSshSoftwareVersionRegister(void)
Registration function for keyword: ssh.softwareversion.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIGMATCH_QUOTES_OPTIONAL
@ DETECT_AL_SSH_SOFTWAREVERSION
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void StreamTcpUTInitInline(void)
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
#define SIG_FLAG_TOSERVER
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Per thread variable structure.
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
#define PARSE_REGEX
Regex for parsing the softwareversion string.
void DetectAppLayerInspectEngineRegister2(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr2 Callback2, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
Data structures and function prototypes for keeping state for the detection engine.
SigMatch * SigMatchAlloc(void)
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UTHFreeFlow(Flow *flow)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void StreamTcpUTClearSession(TcpSession *ssn)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectBufferTypeRegister(const char *name)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
void StreamTcpUTSetupSession(TcpSession *ssn)
#define SCLogError(...)
Macro used to log ERROR messages.
#define SIGMATCH_INFO_DEPRECATED
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
a single match condition for a signature
DetectEngineCtx * DetectEngineCtxInit(void)
AppProto alproto
application level protocol
void(* RegisterTests)(void)