aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: make ssh detection use dynamic list

Browse Source
pull/2559/head
Victor Julien 8 years ago
parent c412352474
commit a10b2fdecf
4 changed files with 57 additions and 39 deletions
Show Stats Download Patch File Download Diff File

3
src/detect-lua.c
Unescape Escape View File

@ -1036,7 +1036,8 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
int list = DetectBufferTypeGetByName("tls_generic");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->alproto == ALPROTO_SSH) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
int list = DetectBufferTypeGetByName("ssh_banner");
SigMatchAppendSMToList(s, sm, list);
} else if (lua->alproto == ALPROTO_SMTP) {
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
} else if (lua->alproto == ALPROTO_DNP3) {

32
src/detect-ssh-proto-version.c
Unescape Escape View File

@ -63,11 +63,12 @@ static pcre *parse_regex;
static pcre_extra *parse_regex_study;
static int DetectSshVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, void *,
const Signature *, const SigMatchData *);
Flow *, uint8_t, void *, void *,
const Signature *, const SigMatchCtx *);
static int DetectSshVersionSetup (DetectEngineCtx *, Signature *, char *);
void DetectSshVersionRegisterTests(void);
void DetectSshVersionFree(void *);
static void DetectSshVersionRegisterTests(void);
static void DetectSshVersionFree(void *);
static int g_ssh_banner_list_id = 0;
/**
* \brief Registration function for keyword: ssh.protoversion
@ -75,13 +76,14 @@ void DetectSshVersionFree(void *);
void DetectSshVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion";
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Match = NULL;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerMatch = DetectSshVersionMatch;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerTxMatch = DetectSshVersionMatch;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
}
/**
@ -96,12 +98,12 @@ void DetectSshVersionRegister(void)
* \retval 1 match
*/
static int DetectSshVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
const Signature *s, const SigMatchData *m)
Flow *f, uint8_t flags, void *state, void *txv,
const Signature *s, const SigMatchCtx *m)
{
SCEnter();
DetectSshVersionData *ssh = (DetectSshVersionData *)m->ctx;
DetectSshVersionData *ssh = (DetectSshVersionData *)m;
SshState *ssh_state = (SshState *)state;
if (ssh_state == NULL) {
SCLogDebug("no ssh state, no match");
@ -215,6 +217,11 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
DetectSshVersionData *ssh = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
return -1;
}
ssh = DetectSshVersionParse(str);
if (ssh == NULL)
goto error;
@ -225,15 +232,10 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s
if (sm == NULL)
goto error;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
sm->type = DETECT_AL_SSH_PROTOVERSION;
sm->ctx = (void *)ssh;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_SSH;

60
src/detect-ssh-software-version.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2007-2014 Open Information Security Foundation
/* Copyright (C) 2007-2016 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -67,12 +67,22 @@ static pcre *parse_regex;
static pcre_extra *parse_regex_study;
static int DetectSshSoftwareVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
Flow *, uint8_t, void *,
const Signature *, const SigMatchData *);
Flow *, uint8_t, void *, void *,
const Signature *, const SigMatchCtx *);
static int DetectSshSoftwareVersionSetup (DetectEngineCtx *, Signature *, char *);
void DetectSshSoftwareVersionRegisterTests(void);
void DetectSshSoftwareVersionFree(void *);
void DetectSshSoftwareVersionRegister(void);
static void DetectSshSoftwareVersionRegisterTests(void);
static void DetectSshSoftwareVersionFree(void *);
static int g_ssh_banner_list_id = 0;
static int InspectSshBanner(ThreadVars *tv,
DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
const Signature *s, const SigMatchData *smd,
Flow *f, uint8_t flags, void *alstate,
void *txv, uint64_t tx_id)
{
return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
f, flags, alstate, txv, tx_id);
}
/**
* \brief Registration function for keyword: ssh.softwareversion
@ -80,13 +90,19 @@ void DetectSshSoftwareVersionRegister(void);
void DetectSshSoftwareVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Match = NULL;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerMatch = DetectSshSoftwareVersionMatch;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
DetectAppLayerInspectEngineRegister("ssh_banner",
ALPROTO_SSH, SIG_FLAG_TOSERVER, InspectSshBanner);
DetectAppLayerInspectEngineRegister("ssh_banner",
ALPROTO_SSH, SIG_FLAG_TOCLIENT, InspectSshBanner);
}
/**
@ -101,12 +117,12 @@ void DetectSshSoftwareVersionRegister(void)
* \retval 1 match
*/
static int DetectSshSoftwareVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
Flow *f, uint8_t flags, void *state,
const Signature *s, const SigMatchData *m)
Flow *f, uint8_t flags, void *state, void *txv,
const Signature *s, const SigMatchCtx *m)
{
SCEnter();
DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m->ctx;
DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m;
SshState *ssh_state = (SshState *)state;
if (ssh_state == NULL) {
SCLogDebug("no ssh state, no match");
@ -196,6 +212,11 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
DetectSshSoftwareVersionData *ssh = NULL;
SigMatch *sm = NULL;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
return -1;
}
ssh = DetectSshSoftwareVersionParse(str);
if (ssh == NULL)
goto error;
@ -206,18 +227,13 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s,
if (sm == NULL)
goto error;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
sm->ctx = (void *)ssh;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_SSH;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
return 0;
@ -235,7 +251,7 @@ error:
*
* \param id_d pointer to DetectSshSoftwareVersionData
*/
void DetectSshSoftwareVersionFree(void *ptr)
static void DetectSshSoftwareVersionFree(void *ptr)
{
if (ptr == NULL)
return;
@ -252,7 +268,7 @@ void DetectSshSoftwareVersionFree(void *ptr)
* \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse
* a software version correctly
*/
int DetectSshSoftwareVersionTestParse01 (void)
static int DetectSshSoftwareVersionTestParse01 (void)
{
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("PuTTY_1.0");
@ -268,7 +284,7 @@ int DetectSshSoftwareVersionTestParse01 (void)
* \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse
* the software version correctly
*/
int DetectSshSoftwareVersionTestParse02 (void)
static int DetectSshSoftwareVersionTestParse02 (void)
{
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("\"SecureCRT-4.0\"");
@ -284,7 +300,7 @@ int DetectSshSoftwareVersionTestParse02 (void)
* \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we
* don't return a ssh_data with an empty value specified
*/
int DetectSshSoftwareVersionTestParse03 (void)
static int DetectSshSoftwareVersionTestParse03 (void)
{
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("");
@ -656,7 +672,7 @@ end:
/**
* \brief this function registers unit tests for DetectSshSoftwareVersion
*/
void DetectSshSoftwareVersionRegisterTests(void)
static void DetectSshSoftwareVersionRegisterTests(void)
{
#ifdef UNITTESTS /* UNITTESTS */
UtRegisterTest("DetectSshSoftwareVersionTestParse01",

1
src/detect-ssh-software-version.h
Unescape Escape View File

@ -31,7 +31,6 @@ typedef struct DetectSshSoftwareVersionData_ {
/* prototypes */
void DetectSshSoftwareVersionRegister(void);
void DetectSshSoftwareVersionRegisterTests(void);
#endif /* __DETECT_SSH_SOFTWARE_VERSION_H__ */

Write Preview
Loading…
Cancel
Save