|
|
|
@ -1,4 +1,4 @@
|
|
|
|
/* Copyright (C) 2007-2014 Open Information Security Foundation
|
|
|
|
/* Copyright (C) 2007-2016 Open Information Security Foundation
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
@ -67,12 +67,22 @@ static pcre *parse_regex;
|
|
|
|
static pcre_extra *parse_regex_study;
|
|
|
|
static pcre_extra *parse_regex_study;
|
|
|
|
|
|
|
|
|
|
|
|
static int DetectSshSoftwareVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
|
|
|
|
static int DetectSshSoftwareVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
|
|
|
|
Flow *, uint8_t, void *,
|
|
|
|
Flow *, uint8_t, void *, void *,
|
|
|
|
const Signature *, const SigMatchData *);
|
|
|
|
const Signature *, const SigMatchCtx *);
|
|
|
|
static int DetectSshSoftwareVersionSetup (DetectEngineCtx *, Signature *, char *);
|
|
|
|
static int DetectSshSoftwareVersionSetup (DetectEngineCtx *, Signature *, char *);
|
|
|
|
void DetectSshSoftwareVersionRegisterTests(void);
|
|
|
|
static void DetectSshSoftwareVersionRegisterTests(void);
|
|
|
|
void DetectSshSoftwareVersionFree(void *);
|
|
|
|
static void DetectSshSoftwareVersionFree(void *);
|
|
|
|
void DetectSshSoftwareVersionRegister(void);
|
|
|
|
static int g_ssh_banner_list_id = 0;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int InspectSshBanner(ThreadVars *tv,
|
|
|
|
|
|
|
|
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
|
|
|
|
|
|
|
|
const Signature *s, const SigMatchData *smd,
|
|
|
|
|
|
|
|
Flow *f, uint8_t flags, void *alstate,
|
|
|
|
|
|
|
|
void *txv, uint64_t tx_id)
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
|
|
|
|
|
|
|
|
f, flags, alstate, txv, tx_id);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* \brief Registration function for keyword: ssh.softwareversion
|
|
|
|
* \brief Registration function for keyword: ssh.softwareversion
|
|
|
|
@ -80,13 +90,19 @@ void DetectSshSoftwareVersionRegister(void);
|
|
|
|
void DetectSshSoftwareVersionRegister(void)
|
|
|
|
void DetectSshSoftwareVersionRegister(void)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Match = NULL;
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch;
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerMatch = DetectSshSoftwareVersionMatch;
|
|
|
|
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree;
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree;
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests;
|
|
|
|
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests;
|
|
|
|
|
|
|
|
|
|
|
|
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
|
|
|
|
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DetectAppLayerInspectEngineRegister("ssh_banner",
|
|
|
|
|
|
|
|
ALPROTO_SSH, SIG_FLAG_TOSERVER, InspectSshBanner);
|
|
|
|
|
|
|
|
DetectAppLayerInspectEngineRegister("ssh_banner",
|
|
|
|
|
|
|
|
ALPROTO_SSH, SIG_FLAG_TOCLIENT, InspectSshBanner);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
@ -101,12 +117,12 @@ void DetectSshSoftwareVersionRegister(void)
|
|
|
|
* \retval 1 match
|
|
|
|
* \retval 1 match
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
static int DetectSshSoftwareVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
static int DetectSshSoftwareVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
|
|
|
|
Flow *f, uint8_t flags, void *state,
|
|
|
|
Flow *f, uint8_t flags, void *state, void *txv,
|
|
|
|
const Signature *s, const SigMatchData *m)
|
|
|
|
const Signature *s, const SigMatchCtx *m)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
SCEnter();
|
|
|
|
SCEnter();
|
|
|
|
|
|
|
|
|
|
|
|
DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m->ctx;
|
|
|
|
DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m;
|
|
|
|
SshState *ssh_state = (SshState *)state;
|
|
|
|
SshState *ssh_state = (SshState *)state;
|
|
|
|
if (ssh_state == NULL) {
|
|
|
|
if (ssh_state == NULL) {
|
|
|
|
SCLogDebug("no ssh state, no match");
|
|
|
|
SCLogDebug("no ssh state, no match");
|
|
|
|
@ -196,6 +212,11 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
SigMatch *sm = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
|
|
|
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ssh = DetectSshSoftwareVersionParse(str);
|
|
|
|
ssh = DetectSshSoftwareVersionParse(str);
|
|
|
|
if (ssh == NULL)
|
|
|
|
if (ssh == NULL)
|
|
|
|
goto error;
|
|
|
|
goto error;
|
|
|
|
@ -206,18 +227,13 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
|
|
|
|
if (sm == NULL)
|
|
|
|
if (sm == NULL)
|
|
|
|
goto error;
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
|
|
|
|
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
|
|
|
|
|
|
|
|
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
|
|
|
|
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
|
|
|
|
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
|
|
|
|
sm->ctx = (void *)ssh;
|
|
|
|
sm->ctx = (void *)ssh;
|
|
|
|
|
|
|
|
|
|
|
|
s->flags |= SIG_FLAG_APPLAYER;
|
|
|
|
s->flags |= SIG_FLAG_APPLAYER;
|
|
|
|
s->alproto = ALPROTO_SSH;
|
|
|
|
s->alproto = ALPROTO_SSH;
|
|
|
|
|
|
|
|
|
|
|
|
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
|
|
|
|
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
|
|
@ -235,7 +251,7 @@ error:
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* \param id_d pointer to DetectSshSoftwareVersionData
|
|
|
|
* \param id_d pointer to DetectSshSoftwareVersionData
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
void DetectSshSoftwareVersionFree(void *ptr)
|
|
|
|
static void DetectSshSoftwareVersionFree(void *ptr)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
if (ptr == NULL)
|
|
|
|
if (ptr == NULL)
|
|
|
|
return;
|
|
|
|
return;
|
|
|
|
@ -252,7 +268,7 @@ void DetectSshSoftwareVersionFree(void *ptr)
|
|
|
|
* \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse
|
|
|
|
* \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse
|
|
|
|
* a software version correctly
|
|
|
|
* a software version correctly
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
int DetectSshSoftwareVersionTestParse01 (void)
|
|
|
|
static int DetectSshSoftwareVersionTestParse01 (void)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
ssh = DetectSshSoftwareVersionParse("PuTTY_1.0");
|
|
|
|
ssh = DetectSshSoftwareVersionParse("PuTTY_1.0");
|
|
|
|
@ -268,7 +284,7 @@ int DetectSshSoftwareVersionTestParse01 (void)
|
|
|
|
* \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse
|
|
|
|
* \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse
|
|
|
|
* the software version correctly
|
|
|
|
* the software version correctly
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
int DetectSshSoftwareVersionTestParse02 (void)
|
|
|
|
static int DetectSshSoftwareVersionTestParse02 (void)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
ssh = DetectSshSoftwareVersionParse("\"SecureCRT-4.0\"");
|
|
|
|
ssh = DetectSshSoftwareVersionParse("\"SecureCRT-4.0\"");
|
|
|
|
@ -284,7 +300,7 @@ int DetectSshSoftwareVersionTestParse02 (void)
|
|
|
|
* \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we
|
|
|
|
* \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we
|
|
|
|
* don't return a ssh_data with an empty value specified
|
|
|
|
* don't return a ssh_data with an empty value specified
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
int DetectSshSoftwareVersionTestParse03 (void)
|
|
|
|
static int DetectSshSoftwareVersionTestParse03 (void)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
DetectSshSoftwareVersionData *ssh = NULL;
|
|
|
|
ssh = DetectSshSoftwareVersionParse("");
|
|
|
|
ssh = DetectSshSoftwareVersionParse("");
|
|
|
|
@ -656,7 +672,7 @@ end:
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* \brief this function registers unit tests for DetectSshSoftwareVersion
|
|
|
|
* \brief this function registers unit tests for DetectSshSoftwareVersion
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
void DetectSshSoftwareVersionRegisterTests(void)
|
|
|
|
static void DetectSshSoftwareVersionRegisterTests(void)
|
|
|
|
{
|
|
|
|
{
|
|
|
|
#ifdef UNITTESTS /* UNITTESTS */
|
|
|
|
#ifdef UNITTESTS /* UNITTESTS */
|
|
|
|
UtRegisterTest("DetectSshSoftwareVersionTestParse01",
|
|
|
|
UtRegisterTest("DetectSshSoftwareVersionTestParse01",
|
|
|
|
|
Victor Julien
8 years ago