Go to the documentation of this file.
65 #define PARSE_REGEX "^\\s*\"?\\s*?([0-9a-zA-Z\\:\\.\\-\\_\\+\\s+]+)\\s*\"?\\s*$"
70 Flow *, uint8_t,
void *,
void *,
74 static void DetectSshSoftwareVersionRegisterTests(
void);
77 static int g_ssh_banner_list_id = 0;
119 Flow *f, uint8_t
flags,
void *state,
void *txv,
131 const uint8_t *software = NULL;
134 if (rs_ssh_tx_get_software(txv, &software, &b_len,
flags) != 1)
136 if (software == NULL || b_len == 0)
138 if (b_len == ssh->
len) {
162 pcre2_match_data *match = NULL;
165 if (ret < 1 || ret > 3) {
166 SCLogError(
"invalid ssh.softwareversion option");
171 const char *str_ptr = NULL;
172 res = pcre2_substring_get_bynumber(match, 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len);
174 SCLogError(
"pcre2_substring_get_bynumber failed");
181 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
186 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
189 pcre2_substring_free((PCRE2_UCHAR *)str_ptr);
196 pcre2_match_data_free(match);
201 pcre2_match_data_free(match);
204 DetectSshSoftwareVersionFree(
de_ctx, ssh);
227 ssh = DetectSshSoftwareVersionParse(NULL,
str);
235 g_ssh_banner_list_id) == NULL) {
242 DetectSshSoftwareVersionFree(
de_ctx, ssh);
270 static int DetectSshSoftwareVersionTestParse01 (
void)
273 ssh = DetectSshSoftwareVersionParse(NULL,
"PuTTY_1.0");
274 if (ssh != NULL && strncmp((
char *) ssh->
software_ver,
"PuTTY_1.0", 9) == 0) {
275 DetectSshSoftwareVersionFree(NULL, ssh);
286 static int DetectSshSoftwareVersionTestParse02 (
void)
289 ssh = DetectSshSoftwareVersionParse(NULL,
"\"SecureCRT-4.0\"");
290 if (ssh != NULL && strncmp((
char *) ssh->
software_ver,
"SecureCRT-4.0", 13) == 0) {
291 DetectSshSoftwareVersionFree(NULL, ssh);
302 static int DetectSshSoftwareVersionTestParse03 (
void)
305 ssh = DetectSshSoftwareVersionParse(NULL,
"");
307 DetectSshSoftwareVersionFree(NULL, ssh);
319 static int DetectSshSoftwareVersionTestDetect01(
void)
327 uint8_t sshbuf1[] =
"SSH-1.";
328 uint8_t sshbuf2[] =
"10-PuTTY_2.123" ;
329 uint8_t sshbuf3[] =
"\n";
330 uint8_t sshbuf4[] =
"whatever...";
332 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
333 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
335 memset(&
tv, 0x00,
sizeof(
tv));
343 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
346 f->
proto = IPPROTO_TCP;
357 memset(&th_v, 0,
sizeof(th_v));
371 for (
int i=0; i<4; i++) {
396 static int DetectSshSoftwareVersionTestDetect02(
void)
404 uint8_t sshbuf1[] =
"SSH-1.99-Pu";
405 uint8_t sshbuf2[] =
"TTY_2.123" ;
406 uint8_t sshbuf3[] =
"\n";
407 uint8_t sshbuf4[] =
"whatever...";
409 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
410 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
412 memset(&
tv, 0x00,
sizeof(
tv));
420 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
423 f->
proto = IPPROTO_TCP;
434 memset(&th_v, 0,
sizeof(th_v));
448 for (
int i=0; i<4; i++) {
473 static int DetectSshSoftwareVersionTestDetect03(
void)
481 uint8_t sshbuf1[] =
"SSH-1.";
482 uint8_t sshbuf2[] =
"7-PuTTY_2.123" ;
483 uint8_t sshbuf3[] =
"\n";
484 uint8_t sshbuf4[] =
"whatever...";
486 uint8_t* sshbufs[4] = {sshbuf1, sshbuf2, sshbuf3, sshbuf4};
487 uint32_t sshlens[4] = {
sizeof(sshbuf1) - 1,
sizeof(sshbuf2) - 1,
sizeof(sshbuf3) - 1,
sizeof(sshbuf4) - 1};
489 memset(&
tv, 0x00,
sizeof(
tv));
497 f =
UTHBuildFlow(AF_INET,
"1.1.1.1",
"2.2.2.2", 1234, 2222);
500 f->
proto = IPPROTO_TCP;
511 memset(&th_v, 0,
sizeof(th_v));
525 for (
int i=0; i<4; i++) {
552 static void DetectSshSoftwareVersionRegisterTests(
void)
555 DetectSshSoftwareVersionTestParse01);
557 DetectSshSoftwareVersionTestParse02);
559 DetectSshSoftwareVersionTestParse03);
561 DetectSshSoftwareVersionTestDetect01);
563 DetectSshSoftwareVersionTestDetect02);
565 DetectSshSoftwareVersionTestDetect03);
int DetectSignatureSetAppProto(Signature *s, AppProto alproto)
void StreamTcpUTDeinit(TcpReassemblyThreadCtx *ra_ctx)
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void(* Free)(DetectEngineCtx *, void *)
void DetectSshSoftwareVersionRegister(void)
Registration function for keyword: ssh.softwareversion.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define SIGMATCH_QUOTES_OPTIONAL
@ DETECT_AL_SSH_SOFTWAREVERSION
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
main detection engine ctx
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
int(* AppLayerTxMatch)(DetectEngineThreadCtx *, Flow *, uint8_t flags, void *alstate, void *txv, const Signature *, const SigMatchCtx *)
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
int DetectParsePcreExec(DetectParseRegex *parse_regex, pcre2_match_data **match, const char *str, int start_offset, int options)
#define SIG_FLAG_TOCLIENT
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
void StreamTcpUTInitInline(void)
void StreamTcpUTInit(TcpReassemblyThreadCtx **ra_ctx)
Flow * UTHBuildFlow(int family, const char *src, const char *dst, Port sp, Port dp)
int StreamTcpReassembleAppLayer(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpSession *ssn, TcpStream *stream, Packet *p, enum StreamUpdateDir dir)
Update the stream reassembly upon receiving a packet.
#define SIG_FLAG_TOSERVER
#define PASS
Pass the test.
void DetectSetupParseRegexes(const char *parse_str, DetectParseRegex *detect_parse)
Per thread variable structure.
void StreamTcpUTSetupStream(TcpStream *s, uint32_t isn)
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
#define PARSE_REGEX
Regex for parsing the softwareversion string.
Data structures and function prototypes for keeping state for the detection engine.
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UTHFreeFlow(Flow *flow)
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
void StreamTcpUTClearSession(TcpSession *ssn)
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
int DetectBufferTypeRegister(const char *name)
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
uint8_t DetectEngineInspectGenericList(DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, const struct DetectEngineAppInspectionEngine_ *engine, const Signature *s, Flow *f, uint8_t flags, void *alstate, void *txv, uint64_t tx_id)
Do the content inspection & validation for a signature.
int StreamTcpUTAddSegmentWithPayload(ThreadVars *tv, TcpReassemblyThreadCtx *ra_ctx, TcpStream *stream, uint32_t seq, uint8_t *payload, uint16_t len)
void StreamTcpUTSetupSession(TcpSession *ssn)
#define SCLogError(...)
Macro used to log ERROR messages.
#define SIGMATCH_INFO_DEPRECATED
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
DetectEngineCtx * DetectEngineCtxInit(void)
void DetectAppLayerInspectEngineRegister(const char *name, AppProto alproto, uint32_t dir, int progress, InspectEngineFuncPtr Callback, InspectionBufferGetDataPtr GetData)
register inspect engine at start up time
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
AppProto alproto
application level protocol
void(* RegisterTests)(void)