aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: add (mpm) hassh keywords

Browse Source 
Match on Hassh using ssh.hassh, ssh.hassh.server, ssh.hassh.string, ssh.hassh.server.string keywords, e.g:

alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000010;)
alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000020;)
alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; sid:1000030;)
alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,"; sid:1000040;)
pull/5141/head
Vadym Malakhatko 5 years ago
parent 536cee3ba9
commit 216a75c522
13 changed files with 857 additions and 0 deletions
Show Stats Download Patch File Download Diff File

4
src/Makefile.am
Unescape Escape View File

@ -262,6 +262,10 @@ detect-ssh-proto.c detect-ssh-proto.h \
detect-ssh-proto-version.c detect-ssh-proto-version.h \
detect-ssh-software.c detect-ssh-software.h \
detect-ssh-software-version.c detect-ssh-software-version.h \
detect-ssh-hassh.c detect-ssh-hassh.h \
detect-ssh-hassh-server.c detect-ssh-hassh-server.h \
detect-ssh-hassh-string.c detect-ssh-hassh-string.h \
detect-ssh-hassh-server-string.c detect-ssh-hassh-server-string.h \
detect-smb-share.c detect-smb-share.h \
detect-ssl-state.c detect-ssl-state.h \
detect-ssl-version.c detect-ssl-version.h \

8
src/detect-engine-register.c
Unescape Escape View File

@ -223,6 +223,10 @@
#include "detect-ssh-proto-version.h"
#include "detect-ssh-software.h"
#include "detect-ssh-software-version.h"
#include "detect-ssh-hassh.h"
#include "detect-ssh-hassh-server.h"
#include "detect-ssh-hassh-string.h"
#include "detect-ssh-hassh-server-string.h"
#include "detect-http-stat-code.h"
#include "detect-ssl-version.h"
#include "detect-ssl-state.h"
@ -536,6 +540,10 @@ void SigTableSetup(void)
DetectSshVersionRegister();
DetectSshSoftwareRegister();
DetectSshSoftwareVersionRegister();
DetectSshHasshRegister();
DetectSshHasshServerRegister();
DetectSshHasshStringRegister();
DetectSshHasshServerStringRegister();
DetectSslStateRegister();
DetectSslVersionRegister();
DetectByteExtractRegister();

4
src/detect-engine-register.h
Unescape Escape View File

@ -160,6 +160,10 @@ enum DetectKeywordId {
DETECT_AL_SSH_PROTOVERSION,
DETECT_AL_SSH_SOFTWARE,
DETECT_AL_SSH_SOFTWAREVERSION,
DETECT_AL_SSH_HASSH,
DETECT_AL_SSH_HASSH_SERVER,
DETECT_AL_SSH_HASSH_STRING,
DETECT_AL_SSH_HASSH_SERVER_STRING,
DETECT_AL_SSL_VERSION,
DETECT_AL_SSL_STATE,
DETECT_BYTE_EXTRACT,

145
src/detect-ssh-hassh-server-string.c
Unescape Escape View File

@ -0,0 +1,145 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
*/
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "stream-tcp.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-ssh.h"
#include "detect-ssh-hassh-server-string.h"
#include "rust.h"
#define KEYWORD_NAME "ssh.hassh.server.string"
#define KEYWORD_ALIAS "ssh-hassh-server-string"
#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server.string"
#define BUFFER_NAME "ssh.hassh.server.string"
#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Servers"
static int g_ssh_hassh_server_string_buffer_id = 0;
static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t flow_flags, void *txv, const int list_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
const uint8_t *hassh = NULL;
uint32_t b_len = 0;
if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1)
return NULL;
if (hassh == NULL || b_len == 0) {
SCLogDebug("SSH hassh string is not set");
return NULL;
}
InspectionBufferSetup(buffer, hassh, b_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
/**
* \brief this function setup the ssh.hassh.server.string modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
* \retval -1 On failure
* \retval -2 on failure that should be silent after the first
*/
static int DetectSshHasshServerStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
if (DetectBufferSetActiveList(s, g_ssh_hassh_server_string_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
return -1;
/* try to enable Hassh */
rs_ssh_enable_hassh();
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER_STRING)) {
SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
}
return -2;
}
return 0;
}
/**
* \brief Registration function for hasshServer.string keyword.
*/
void DetectSshHasshServerStringRegister(void)
{
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer";
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].RegisterTests = NULL;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetSshData,
ALPROTO_SSH, SshStateBannerDone);
DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
SIG_FLAG_TOCLIENT, SshStateBannerDone,
DetectEngineInspectBufferGeneric, GetSshData);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
g_ssh_hassh_server_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
}

30
src/detect-ssh-hassh-server-string.h
Unescape Escape View File

@ -0,0 +1,30 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
*/
#ifndef __DETECT_SSH_HASSH_SERVER_STRING_H__
#define __DETECT_SSH_HASSH_SERVER_STRING_H__
/* prototypes */
void DetectSshHasshServerStringRegister (void);
#endif /* __DETECT_SSH_HASSH_SERVER_STRING_H__ */

213
src/detect-ssh-hassh-server.c
Unescape Escape View File

@ -0,0 +1,213 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
*/
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "stream-tcp.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-ssh.h"
#include "detect-ssh-hassh-server.h"
#include "rust.h"
#define KEYWORD_NAME "ssh.hassh.server"
#define KEYWORD_ALIAS "ssh-hassh-server"
#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server"
#define BUFFER_NAME "ssh.hassh.server"
#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Servers"
static int g_ssh_hassh_buffer_id = 0;
static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t flow_flags, void *txv, const int list_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
const uint8_t *hasshServer = NULL;
uint32_t b_len = 0;
if (rs_ssh_tx_get_hassh(txv, &hasshServer, &b_len, flow_flags) != 1)
return NULL;
if (hasshServer == NULL || b_len == 0) {
SCLogDebug("SSH hassh not set");
return NULL;
}
InspectionBufferSetup(buffer, hasshServer, b_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
/**
* \brief this function setup the ssh.hassh.server modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
* \retval -1 On failure
* \retval -2 on failure that should be silent after the first
*/
static int DetectSshHasshServerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
return -1;
/* try to enable Hassh */
rs_ssh_enable_hassh();
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER)) {
SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
}
return -2;
}
return 0;
}
static _Bool DetectSshHasshServerHashValidateCallback(const Signature *s,
const char **sigerror)
{
const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
for ( ; sm != NULL; sm = sm->next)
{
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NOCASE) {
*sigerror = "ssh.hassh.server should not be used together with "
"nocase, since the rule is automatically "
"lowercased anyway which makes nocase redundant.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
}
if (cd->content_len != 32)
{
*sigerror = "Invalid length of the specified ssh.hassh.server (should "
"be 32 characters long). This rule will therefore "
"never match.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
return FALSE;
}
for (size_t i = 0; i < cd->content_len; ++i)
{
if(!isxdigit(cd->content[i]))
{
*sigerror = "Invalid ssh.hassh.server string (should be string of hexademical characters)."
"This rule will therefore never match.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
return FALSE;
}
}
}
return TRUE;
}
static void DetectSshHasshServerHashSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s)
{
SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
for ( ; sm != NULL; sm = sm->next)
{
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
uint32_t u;
for (u = 0; u < cd->content_len; u++)
{
if (isupper(cd->content[u])) {
cd->content[u] = tolower(cd->content[u]);
}
}
SpmDestroyCtx(cd->spm_ctx);
cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
de_ctx->spm_global_thread_ctx);
}
}
/**
* \brief Registration function for hasshServer keyword.
*/
void DetectSshHasshServerRegister(void)
{
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].name = KEYWORD_NAME;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer";
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].RegisterTests = NULL;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup;
sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
PrefilterGenericMpmRegister, GetSshData,
ALPROTO_SSH, SshStateBannerDone);
DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
SIG_FLAG_TOCLIENT, SshStateBannerDone,
DetectEngineInspectBufferGeneric, GetSshData);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshServerHashSetupCallback);
DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshServerHashValidateCallback);
}

31
src/detect-ssh-hassh-server.h
Unescape Escape View File

@ -0,0 +1,31 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
*/
#ifndef __DETECT_SSH_HASSH_SERVER_H__
#define __DETECT_SSH_HASSH_SERVER_H__
/* prototypes */
void DetectSshHasshServerRegister (void);
#endif /* __DETECT_SSH_HASSH_SERVER_H__ */

145
src/detect-ssh-hassh-string.c
Unescape Escape View File

@ -0,0 +1,145 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
*/
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-ssh.h"
#include "detect-ssh-hassh-string.h"
#include "rust.h"
#define KEYWORD_NAME "ssh.hassh.string"
#define KEYWORD_ALIAS "ssh-hassh-string"
#define KEYWORD_DOC "ssh-keywords.html#hassh.string"
#define BUFFER_NAME "ssh.hassh.string"
#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Clients "
static int g_ssh_hassh_string_buffer_id = 0;
static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t flow_flags, void *txv, const int list_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
const uint8_t *hassh = NULL;
uint32_t b_len = 0;
if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1)
return NULL;
if (hassh == NULL || b_len == 0) {
SCLogDebug("SSH hassh string is not set");
return NULL;
}
InspectionBufferSetup(buffer, hassh, b_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
/**
* \brief this function setup the hassh.string modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
* \retval -1 On failure
* \retval -2 on failure that should be silent after the first
*/
static int DetectSshHasshStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
if (DetectBufferSetActiveList(s, g_ssh_hassh_string_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
return -1;
/* try to enable Hassh */
rs_ssh_enable_hassh();
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_STRING)) {
SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
}
return -2;
}
return 0;
}
/**
* \brief Registration function for hassh.string keyword.
*/
void DetectSshHasshStringRegister(void)
{
sigmatch_table[DETECT_AL_SSH_HASSH_STRING].name = KEYWORD_NAME;
sigmatch_table[DETECT_AL_SSH_HASSH_STRING].alias = KEYWORD_ALIAS;
sigmatch_table[DETECT_AL_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer";
sigmatch_table[DETECT_AL_SSH_HASSH_STRING].RegisterTests = NULL;
sigmatch_table[DETECT_AL_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC;
sigmatch_table[DETECT_AL_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup;
sigmatch_table[DETECT_AL_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetSshData,
ALPROTO_SSH, SshStateBannerDone);
DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
SIG_FLAG_TOSERVER, SshStateBannerDone,
DetectEngineInspectBufferGeneric, GetSshData);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
g_ssh_hassh_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
}

30
src/detect-ssh-hassh-string.h
Unescape Escape View File

@ -0,0 +1,30 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
*/
#ifndef __DETECT_SSH_HASSH_STRING_H__
#define __DETECT_SSH_HASSH_STRING_H__
/* prototypes */
void DetectSshHasshStringRegister (void);
#endif /* __DETECT_SSH_HASSH_STRING_H__ */

215
src/detect-ssh-hassh.c
Unescape Escape View File

@ -0,0 +1,215 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
*/
#include "suricata-common.h"
#include "threads.h"
#include "debug.h"
#include "decode.h"
#include "detect.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-state.h"
#include "detect-engine-prefilter.h"
#include "flow.h"
#include "flow-var.h"
#include "flow-util.h"
#include "util-debug.h"
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "stream-tcp.h"
#include "app-layer.h"
#include "app-layer-parser.h"
#include "app-layer-ssh.h"
#include "detect-ssh-hassh.h"
#include "rust.h"
#define KEYWORD_NAME "ssh.hassh"
#define KEYWORD_ALIAS "ssh-hassh"
#define KEYWORD_DOC "ssh-keywords.html#hassh"
#define BUFFER_NAME "ssh.hassh"
#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Clients "
static int g_ssh_hassh_buffer_id = 0;
static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
const DetectEngineTransforms *transforms, Flow *_f,
const uint8_t flow_flags, void *txv, const int list_id)
{
SCEnter();
InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
if (buffer->inspect == NULL) {
const uint8_t *hassh = NULL;
uint32_t b_len = 0;
if (rs_ssh_tx_get_hassh(txv, &hassh, &b_len, flow_flags) != 1)
return NULL;
if (hassh == NULL || b_len == 0) {
SCLogDebug("SSH hassh not set");
return NULL;
}
InspectionBufferSetup(buffer, hassh, b_len);
InspectionBufferApplyTransforms(buffer, transforms);
}
return buffer;
}
/**
* \brief this function setup the hassh modifier keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
* \retval -1 On failure
* \retval -2 on failure that should be silent after the first
*/
static int DetectSshHasshSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
{
if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
return -1;
/* try to enable Hassh */
rs_ssh_enable_hassh();
/* Check if Hassh is disabled */
if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH)) {
SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
}
return -2;
}
return 0;
}
static bool DetectSshHasshHashValidateCallback(const Signature *s,
const char **sigerror)
{
const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
for ( ; sm != NULL; sm = sm->next)
{
if (sm->type != DETECT_CONTENT)
continue;
const DetectContentData *cd = (DetectContentData *)sm->ctx;
if (cd->flags & DETECT_CONTENT_NOCASE) {
*sigerror = "ssh.hassh should not be used together with "
"nocase, since the rule is automatically "
"lowercased anyway which makes nocase redundant.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
}
if (cd->content_len != 32)
{
*sigerror = "Invalid length of the specified ssh.hassh (should "
"be 32 characters long). This rule will therefore "
"never match.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
return FALSE;
}
for (size_t i = 0; i < cd->content_len; ++i)
{
if(!isxdigit(cd->content[i]))
{
*sigerror = "Invalid ssh.hassh string (should be string of hexademical characters)."
"This rule will therefore never match.";
SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
return FALSE;
}
}
}
return TRUE;
}
static void DetectSshHasshHashSetupCallback(const DetectEngineCtx *de_ctx,
Signature *s)
{
SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
for ( ; sm != NULL; sm = sm->next)
{
if (sm->type != DETECT_CONTENT)
continue;
DetectContentData *cd = (DetectContentData *)sm->ctx;
uint32_t u;
for (u = 0; u < cd->content_len; u++)
{
if (isupper(cd->content[u])) {
cd->content[u] = tolower(cd->content[u]);
}
}
SpmDestroyCtx(cd->spm_ctx);
cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
de_ctx->spm_global_thread_ctx);
}
}
/**
* \brief Registration function for hassh keyword.
*/
void DetectSshHasshRegister(void)
{
sigmatch_table[DETECT_AL_SSH_HASSH].name = KEYWORD_NAME;
sigmatch_table[DETECT_AL_SSH_HASSH].alias = KEYWORD_ALIAS;
sigmatch_table[DETECT_AL_SSH_HASSH].desc = BUFFER_NAME " sticky buffer";
sigmatch_table[DETECT_AL_SSH_HASSH].RegisterTests = NULL;
sigmatch_table[DETECT_AL_SSH_HASSH].url = "/rules/" KEYWORD_DOC;
sigmatch_table[DETECT_AL_SSH_HASSH].Setup = DetectSshHasshSetup;
sigmatch_table[DETECT_AL_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
PrefilterGenericMpmRegister, GetSshData,
ALPROTO_SSH, SshStateBannerDone),
DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
SIG_FLAG_TOSERVER, SshStateBannerDone,
DetectEngineInspectBufferGeneric, GetSshData);
DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshHashSetupCallback);
DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshHashValidateCallback);
}

30
src/detect-ssh-hassh.h
Unescape Escape View File

@ -0,0 +1,30 @@
/* Copyright (C) 2007-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
*/
#ifndef __DETECT_SSH_HASSH_H__
#define __DETECT_SSH_HASSH_H__
/* prototypes */
void DetectSshHasshRegister (void);
#endif /* __DETECT_SSH_HASSH_H__ */

1
src/util-error.c
Unescape Escape View File

@ -370,6 +370,7 @@ const char * SCErrorToString(SCError err)
CASE_CODE (SC_WARN_REGISTRATION_FAILED);
CASE_CODE (SC_ERR_ERF_BAD_RLEN);
CASE_CODE (SC_WARN_ERSPAN_CONFIG);
CASE_CODE (SC_WARN_HASSH_DISABLED);
CASE_CODE (SC_ERR_MAX);
}

1
src/util-error.h
Unescape Escape View File

@ -360,6 +360,7 @@ typedef enum {
SC_WARN_REGISTRATION_FAILED,
SC_ERR_ERF_BAD_RLEN,
SC_WARN_ERSPAN_CONFIG,
SC_WARN_HASSH_DISABLED,
SC_ERR_MAX
} SCError;

Write Preview
Loading…
Cancel
Save