aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ssh: handles incomplete record after banner

Browse Source 
To signal incomplete data, we must return the number of
consumed bytes. When we get a banner and some records, we have
to take into account the number of bytes already consumed by
the banner parsing before reaching an incomplete record.
pull/5000/head
Philippe Antoine 5 years ago committed by Victor Julien
parent ae5650d443
commit 6373071aa3
1 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File

22
rust/src/ssh/ssh.rs
Unescape Escape View File

@ -224,7 +224,16 @@ impl SSHState {
if hdr.flags == SSHConnectionState::SshStateBannerWaitEol {
match parser::ssh_parse_line(input) {
Ok((rem, _)) => {
return self.parse_record(rem, resp, pstate);
let r = self.parse_record(rem, resp, pstate);
if r.status == 1 {
//adds bytes consumed by banner to incomplete result
return AppLayerResult::incomplete(
r.consumed + (input.len() - rem.len()) as u32,
r.needed,
);
} else {
return r;
}
}
Err(nom::Err::Incomplete(_)) => {
return AppLayerResult::incomplete(0 as u32, (input.len() + 1) as u32);
@ -257,7 +266,16 @@ impl SSHState {
);
self.set_event(SSHEvent::LongBanner);
}
return self.parse_record(rem, resp, pstate);
let r = self.parse_record(rem, resp, pstate);
if r.status == 1 {
//adds bytes consumed by banner to incomplete result
return AppLayerResult::incomplete(
r.consumed + (input.len() - rem.len()) as u32,
r.needed,
);
} else {
return r;
}
}
Err(nom::Err::Incomplete(_)) => {
if input.len() < SSH_MAX_BANNER_LEN {

Write Preview
Loading…
Cancel
Save