detect: add (mpm) hassh keywords

Match on Hassh using ssh.hassh, ssh.hassh.server, ssh.hassh.string, ssh.hassh.server.string keywords, e.g:

alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000010;)
alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000020;)
alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; sid:1000030;)
alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,"; sid:1000040;)

src/Makefile.am

@@ -262,6 +262,10 @@ detect-ssh-proto.c detect-ssh-proto.h \
 detect-ssh-proto-version.c detect-ssh-proto-version.h \
 detect-ssh-software.c detect-ssh-software.h \
 detect-ssh-software-version.c detect-ssh-software-version.h \
+detect-ssh-hassh.c detect-ssh-hassh.h \
+detect-ssh-hassh-server.c detect-ssh-hassh-server.h \
+detect-ssh-hassh-string.c detect-ssh-hassh-string.h \
+detect-ssh-hassh-server-string.c detect-ssh-hassh-server-string.h \
 detect-smb-share.c detect-smb-share.h \
 detect-ssl-state.c detect-ssl-state.h \
 detect-ssl-version.c detect-ssl-version.h \

src/detect-engine-register.c

@@ -223,6 +223,10 @@
 #include "detect-ssh-proto-version.h"
 #include "detect-ssh-software.h"
 #include "detect-ssh-software-version.h"
+#include "detect-ssh-hassh.h"
+#include "detect-ssh-hassh-server.h"
+#include "detect-ssh-hassh-string.h"
+#include "detect-ssh-hassh-server-string.h"
 #include "detect-http-stat-code.h"
 #include "detect-ssl-version.h"
 #include "detect-ssl-state.h"
@@ -536,6 +540,10 @@ void SigTableSetup(void)
     DetectSshVersionRegister();
     DetectSshSoftwareRegister();
     DetectSshSoftwareVersionRegister();
+    DetectSshHasshRegister();
+    DetectSshHasshServerRegister();
+    DetectSshHasshStringRegister();
+    DetectSshHasshServerStringRegister();
     DetectSslStateRegister();
     DetectSslVersionRegister();
     DetectByteExtractRegister();

src/detect-engine-register.h

@@ -160,6 +160,10 @@ enum DetectKeywordId {
     DETECT_AL_SSH_PROTOVERSION,
     DETECT_AL_SSH_SOFTWARE,
     DETECT_AL_SSH_SOFTWAREVERSION,
+    DETECT_AL_SSH_HASSH,
+    DETECT_AL_SSH_HASSH_SERVER,
+    DETECT_AL_SSH_HASSH_STRING,
+    DETECT_AL_SSH_HASSH_SERVER_STRING,
     DETECT_AL_SSL_VERSION,
     DETECT_AL_SSL_STATE,
     DETECT_BYTE_EXTRACT,

src/detect-ssh-hassh-server-string.c

@@ -0,0 +1,145 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+#include "stream-tcp.h"
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh-server-string.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh.server.string"
+#define KEYWORD_ALIAS "ssh-hassh-server-string"
+#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server.string"
+#define BUFFER_NAME "ssh.hassh.server.string"
+#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Servers"
+static int g_ssh_hassh_server_string_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f,
+        const uint8_t flow_flags, void *txv, const int list_id)
+{
+    
+    SCEnter();
+
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+    if (buffer->inspect == NULL) {
+        const uint8_t *hassh = NULL;
+        uint32_t b_len = 0;
+
+        if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1)
+            return NULL;
+        if (hassh == NULL || b_len == 0) {
+            SCLogDebug("SSH hassh string is not set");
+            return NULL;
+        }
+
+        InspectionBufferSetup(buffer, hassh, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+
+    return buffer;
+}
+
+/**
+ * \brief this function setup the ssh.hassh.server.string modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s      Pointer to the Signature to which the current keyword belongs
+ * \param str    Should hold an empty string always
+ *
+ * \retval 0  On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshServerStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(s, g_ssh_hassh_server_string_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+        return -1;
+     
+    /* try to enable Hassh */
+    rs_ssh_enable_hassh();
+
+    /* Check if Hassh is disabled */
+    if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER_STRING)) {
+            SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+        }
+        return -2;
+    }
+
+    return 0;
+
+}
+
+/**
+ * \brief Registration function for hasshServer.string keyword.
+ */
+void DetectSshHasshServerStringRegister(void) 
+{
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer";
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].RegisterTests = NULL;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, 
+            PrefilterGenericMpmRegister, GetSshData,
+            ALPROTO_SSH, SshStateBannerDone);
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, 
+            SIG_FLAG_TOCLIENT, SshStateBannerDone, 
+            DetectEngineInspectBufferGeneric, GetSshData);
+
+    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+    g_ssh_hassh_server_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+}

src/detect-ssh-hassh-server-string.h

@@ -0,0 +1,30 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_SERVER_STRING_H__
+#define __DETECT_SSH_HASSH_SERVER_STRING_H__
+
+/* prototypes */
+void DetectSshHasshServerStringRegister (void);
+
+#endif /* __DETECT_SSH_HASSH_SERVER_STRING_H__ */

src/detect-ssh-hassh-server.c

@@ -0,0 +1,213 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+#include "stream-tcp.h"
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh-server.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh.server"
+#define KEYWORD_ALIAS "ssh-hassh-server"
+#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server"
+#define BUFFER_NAME "ssh.hassh.server"
+#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Servers"
+static int g_ssh_hassh_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f,
+        const uint8_t flow_flags, void *txv, const int list_id)
+{
+    
+    SCEnter();
+
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+    if (buffer->inspect == NULL) {
+        const uint8_t *hasshServer = NULL;
+        uint32_t b_len = 0;
+
+        if (rs_ssh_tx_get_hassh(txv, &hasshServer, &b_len, flow_flags) != 1)
+            return NULL;
+        if (hasshServer == NULL || b_len == 0) {
+            SCLogDebug("SSH hassh not set");
+            return NULL;
+        }
+
+        InspectionBufferSetup(buffer, hasshServer, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+
+    return buffer;
+}
+
+/**
+ * \brief this function setup the ssh.hassh.server modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s      Pointer to the Signature to which the current keyword belongs
+ * \param str    Should hold an empty string always
+ *
+ * \retval 0  On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshServerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+        return -1;
+            
+    /* try to enable Hassh */
+    rs_ssh_enable_hassh();
+
+    /* Check if Hassh is disabled */
+    if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER)) {
+            SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+        }
+        return -2;
+    }
+
+    return 0;
+
+}
+
+
+static _Bool DetectSshHasshServerHashValidateCallback(const Signature *s,
+                                              const char **sigerror)
+{
+    const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        const DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        if (cd->flags & DETECT_CONTENT_NOCASE) {
+            *sigerror = "ssh.hassh.server should not be used together with "
+                        "nocase, since the rule is automatically "
+                        "lowercased anyway which makes nocase redundant.";
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+        }
+
+        if (cd->content_len != 32)
+        {
+            *sigerror = "Invalid length of the specified ssh.hassh.server (should "
+                        "be 32 characters long). This rule will therefore "
+                        "never match.";
+            SCLogWarning(SC_WARN_POOR_RULE,  "rule %u: %s", s->id, *sigerror);
+            return FALSE;
+        }
+        for (size_t i = 0; i < cd->content_len; ++i)
+        {
+            if(!isxdigit(cd->content[i])) 
+            {
+                *sigerror = "Invalid ssh.hassh.server string (should be string of hexademical characters)."
+                            "This rule will therefore never match.";
+                SCLogWarning(SC_WARN_POOR_RULE,  "rule %u: %s", s->id, *sigerror);
+                return FALSE;
+            }
+        }
+    }
+
+    return TRUE;
+}
+
+static void DetectSshHasshServerHashSetupCallback(const DetectEngineCtx *de_ctx,
+                                          Signature *s)
+{
+    SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        uint32_t u;
+        for (u = 0; u < cd->content_len; u++)
+        {
+            if (isupper(cd->content[u])) {
+                cd->content[u] = tolower(cd->content[u]);
+            }
+        }
+
+        SpmDestroyCtx(cd->spm_ctx);
+        cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
+        		de_ctx->spm_global_thread_ctx);
+    }
+}
+
+/**
+ * \brief Registration function for hasshServer keyword.
+ */
+void DetectSshHasshServerRegister(void) 
+{
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].name = KEYWORD_NAME;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer";
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].RegisterTests = NULL;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup;
+    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, 
+            PrefilterGenericMpmRegister, GetSshData, 
+            ALPROTO_SSH, SshStateBannerDone);
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, 
+            SIG_FLAG_TOCLIENT, SshStateBannerDone, 
+            DetectEngineInspectBufferGeneric, GetSshData);
+    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+    g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+
+    DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshServerHashSetupCallback);
+    DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshServerHashValidateCallback);
+}

src/detect-ssh-hassh-server.h

@@ -0,0 +1,31 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_SERVER_H__
+#define  __DETECT_SSH_HASSH_SERVER_H__
+
+/* prototypes */
+void DetectSshHasshServerRegister (void);
+
+#endif /*  __DETECT_SSH_HASSH_SERVER_H__ */
+

src/detect-ssh-hassh-string.c

@@ -0,0 +1,145 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+#include "stream-tcp.h"
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh-string.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh.string"
+#define KEYWORD_ALIAS "ssh-hassh-string"
+#define KEYWORD_DOC "ssh-keywords.html#hassh.string"
+#define BUFFER_NAME "ssh.hassh.string"
+#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Clients "
+static int g_ssh_hassh_string_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f,
+        const uint8_t flow_flags, void *txv, const int list_id)
+{
+    
+    SCEnter();
+
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+    if (buffer->inspect == NULL) {
+        const uint8_t *hassh = NULL;
+        uint32_t b_len = 0;
+
+        if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1)
+            return NULL;
+        if (hassh == NULL || b_len == 0) {
+            SCLogDebug("SSH hassh string is not set");
+            return NULL;
+        }
+
+        InspectionBufferSetup(buffer, hassh, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+
+    return buffer;
+}
+
+/**
+ * \brief this function setup the hassh.string modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s      Pointer to the Signature to which the current keyword belongs
+ * \param str    Should hold an empty string always
+ *
+ * \retval 0  On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(s, g_ssh_hassh_string_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+        return -1;
+        
+    /* try to enable Hassh */
+    rs_ssh_enable_hassh();
+
+    /* Check if Hassh is disabled */
+    if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_STRING)) {
+            SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+        }
+        return -2;
+    }
+
+    return 0;
+
+}
+
+/**
+ * \brief Registration function for hassh.string keyword.
+ */
+void DetectSshHasshStringRegister(void) 
+{
+    sigmatch_table[DETECT_AL_SSH_HASSH_STRING].name = KEYWORD_NAME;
+    sigmatch_table[DETECT_AL_SSH_HASSH_STRING].alias = KEYWORD_ALIAS;
+    sigmatch_table[DETECT_AL_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer";
+    sigmatch_table[DETECT_AL_SSH_HASSH_STRING].RegisterTests = NULL;
+    sigmatch_table[DETECT_AL_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC;
+    sigmatch_table[DETECT_AL_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup;
+    sigmatch_table[DETECT_AL_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, 
+            PrefilterGenericMpmRegister, GetSshData, 
+            ALPROTO_SSH, SshStateBannerDone);
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, 
+            SIG_FLAG_TOSERVER, SshStateBannerDone, 
+            DetectEngineInspectBufferGeneric, GetSshData);
+
+    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+    g_ssh_hassh_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+}

src/detect-ssh-hassh-string.h

@@ -0,0 +1,30 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_STRING_H__
+#define __DETECT_SSH_HASSH_STRING_H__
+
+/* prototypes */
+void DetectSshHasshStringRegister (void);
+
+#endif /* __DETECT_SSH_HASSH_STRING_H__ */

src/detect-ssh-hassh.c

@@ -0,0 +1,215 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+#include "stream-tcp.h"
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh"
+#define KEYWORD_ALIAS "ssh-hassh"
+#define KEYWORD_DOC "ssh-keywords.html#hassh"
+#define BUFFER_NAME "ssh.hassh"
+#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Clients "
+static int g_ssh_hassh_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f,
+        const uint8_t flow_flags, void *txv, const int list_id)
+{
+    
+    SCEnter();
+
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+    if (buffer->inspect == NULL) {
+        const uint8_t *hassh = NULL;
+        uint32_t b_len = 0;
+
+        if (rs_ssh_tx_get_hassh(txv, &hassh, &b_len, flow_flags) != 1)
+            return NULL;
+        if (hassh == NULL || b_len == 0) {
+            SCLogDebug("SSH hassh not set");
+            return NULL;
+        }
+
+        InspectionBufferSetup(buffer, hassh, b_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
+    }
+
+    return buffer;
+}
+
+/**
+ * \brief this function setup the hassh modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s      Pointer to the Signature to which the current keyword belongs
+ * \param str    Should hold an empty string always
+ *
+ * \retval 0  On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+    if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+        return -1;
+        
+    /* try to enable Hassh */
+    rs_ssh_enable_hassh();
+
+    /* Check if Hassh is disabled */
+    if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH)) {
+            SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+        }
+        return -2;
+    }
+
+    return 0;
+
+}
+
+
+static bool DetectSshHasshHashValidateCallback(const Signature *s,
+                                              const char **sigerror)
+{
+    const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        const DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        if (cd->flags & DETECT_CONTENT_NOCASE) {
+            *sigerror = "ssh.hassh should not be used together with "
+                        "nocase, since the rule is automatically "
+                        "lowercased anyway which makes nocase redundant.";
+            SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+        }
+
+        if (cd->content_len != 32)
+        {
+            *sigerror = "Invalid length of the specified ssh.hassh (should "
+                        "be 32 characters long). This rule will therefore "
+                        "never match.";
+            SCLogWarning(SC_WARN_POOR_RULE,  "rule %u: %s", s->id, *sigerror);
+            return FALSE;
+        }
+        for (size_t i = 0; i < cd->content_len; ++i)
+        {
+            if(!isxdigit(cd->content[i])) 
+            {
+                *sigerror = "Invalid ssh.hassh string (should be string of hexademical characters)."
+                            "This rule will therefore never match.";
+                SCLogWarning(SC_WARN_POOR_RULE,  "rule %u: %s", s->id, *sigerror);
+                return FALSE;
+            }
+        }
+    }
+
+    return TRUE;
+}
+
+static void DetectSshHasshHashSetupCallback(const DetectEngineCtx *de_ctx,
+                                          Signature *s)
+{
+    SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+    for ( ; sm != NULL; sm = sm->next)
+    {
+        if (sm->type != DETECT_CONTENT)
+            continue;
+
+        DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+        uint32_t u;
+        for (u = 0; u < cd->content_len; u++)
+        {
+            if (isupper(cd->content[u])) {
+                cd->content[u] = tolower(cd->content[u]);
+            }
+        }
+
+        SpmDestroyCtx(cd->spm_ctx);
+        cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
+        		de_ctx->spm_global_thread_ctx);
+    }
+}
+
+/**
+ * \brief Registration function for hassh keyword.
+ */
+void DetectSshHasshRegister(void) 
+{
+    sigmatch_table[DETECT_AL_SSH_HASSH].name = KEYWORD_NAME;
+    sigmatch_table[DETECT_AL_SSH_HASSH].alias = KEYWORD_ALIAS;
+    sigmatch_table[DETECT_AL_SSH_HASSH].desc = BUFFER_NAME " sticky buffer";
+    sigmatch_table[DETECT_AL_SSH_HASSH].RegisterTests = NULL;
+    sigmatch_table[DETECT_AL_SSH_HASSH].url = "/rules/" KEYWORD_DOC;
+    sigmatch_table[DETECT_AL_SSH_HASSH].Setup = DetectSshHasshSetup;
+    sigmatch_table[DETECT_AL_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, 
+            PrefilterGenericMpmRegister, GetSshData, 
+            ALPROTO_SSH, SshStateBannerDone),
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, 
+            SIG_FLAG_TOSERVER, SshStateBannerDone, 
+            DetectEngineInspectBufferGeneric, GetSshData);
+    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+    g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+
+    DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshHashSetupCallback);
+    DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshHashValidateCallback);
+}
+

src/detect-ssh-hassh.h

@@ -0,0 +1,30 @@
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_H__
+#define __DETECT_SSH_HASSH_H__
+
+/* prototypes */
+void DetectSshHasshRegister (void);
+
+#endif /* __DETECT_SSH_HASSH_H__ */

src/util-error.c

@@ -370,6 +370,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_WARN_REGISTRATION_FAILED);
         CASE_CODE (SC_ERR_ERF_BAD_RLEN);
         CASE_CODE (SC_WARN_ERSPAN_CONFIG);
+        CASE_CODE (SC_WARN_HASSH_DISABLED);
 
         CASE_CODE (SC_ERR_MAX);
     }

src/util-error.h

@@ -360,6 +360,7 @@ typedef enum {
     SC_WARN_REGISTRATION_FAILED,
     SC_ERR_ERF_BAD_RLEN,
     SC_WARN_ERSPAN_CONFIG,
+    SC_WARN_HASSH_DISABLED,
 
     SC_ERR_MAX
 } SCError;