detect-ssh-proto-version.c detect-ssh-proto-version.h \
detect-ssh-software.c detect-ssh-software.h \
detect-ssh-software-version.c detect-ssh-software-version.h \
+detect-ssh-hassh.c detect-ssh-hassh.h \
+detect-ssh-hassh-server.c detect-ssh-hassh-server.h \
+detect-ssh-hassh-string.c detect-ssh-hassh-string.h \
+detect-ssh-hassh-server-string.c detect-ssh-hassh-server-string.h \
detect-smb-share.c detect-smb-share.h \
detect-ssl-state.c detect-ssl-state.h \
detect-ssl-version.c detect-ssl-version.h \
#include "detect-ssh-proto-version.h"
#include "detect-ssh-software.h"
#include "detect-ssh-software-version.h"
+#include "detect-ssh-hassh.h"
+#include "detect-ssh-hassh-server.h"
+#include "detect-ssh-hassh-string.h"
+#include "detect-ssh-hassh-server-string.h"
#include "detect-http-stat-code.h"
#include "detect-ssl-version.h"
#include "detect-ssl-state.h"
DetectSshVersionRegister();
DetectSshSoftwareRegister();
DetectSshSoftwareVersionRegister();
+ DetectSshHasshRegister();
+ DetectSshHasshServerRegister();
+ DetectSshHasshStringRegister();
+ DetectSshHasshServerStringRegister();
DetectSslStateRegister();
DetectSslVersionRegister();
DetectByteExtractRegister();
DETECT_AL_SSH_PROTOVERSION,
DETECT_AL_SSH_SOFTWARE,
DETECT_AL_SSH_SOFTWAREVERSION,
+ DETECT_AL_SSH_HASSH,
+ DETECT_AL_SSH_HASSH_SERVER,
+ DETECT_AL_SSH_HASSH_STRING,
+ DETECT_AL_SSH_HASSH_SERVER_STRING,
DETECT_AL_SSL_VERSION,
DETECT_AL_SSL_STATE,
DETECT_BYTE_EXTRACT,
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+#include "stream-tcp.h"
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh-server-string.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh.server.string"
+#define KEYWORD_ALIAS "ssh-hassh-server-string"
+#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server.string"
+#define BUFFER_NAME "ssh.hassh.server.string"
+#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Servers"
+static int g_ssh_hassh_server_string_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f,
+ const uint8_t flow_flags, void *txv, const int list_id)
+{
+
+ SCEnter();
+
+ InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+ if (buffer->inspect == NULL) {
+ const uint8_t *hassh = NULL;
+ uint32_t b_len = 0;
+
+ if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1)
+ return NULL;
+ if (hassh == NULL || b_len == 0) {
+ SCLogDebug("SSH hassh string is not set");
+ return NULL;
+ }
+
+ InspectionBufferSetup(buffer, hassh, b_len);
+ InspectionBufferApplyTransforms(buffer, transforms);
+ }
+
+ return buffer;
+}
+
+/**
+ * \brief this function setup the ssh.hassh.server.string modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s Pointer to the Signature to which the current keyword belongs
+ * \param str Should hold an empty string always
+ *
+ * \retval 0 On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshServerStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+ if (DetectBufferSetActiveList(s, g_ssh_hassh_server_string_buffer_id) < 0)
+ return -1;
+
+ if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+ return -1;
+
+ /* try to enable Hassh */
+ rs_ssh_enable_hassh();
+
+ /* Check if Hassh is disabled */
+ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER_STRING)) {
+ SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+ }
+ return -2;
+ }
+
+ return 0;
+
+}
+
+/**
+ * \brief Registration function for hasshServer.string keyword.
+ */
+void DetectSshHasshServerStringRegister(void)
+{
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].RegisterTests = NULL;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+
+ DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
+ PrefilterGenericMpmRegister, GetSshData,
+ ALPROTO_SSH, SshStateBannerDone);
+ DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
+ SIG_FLAG_TOCLIENT, SshStateBannerDone,
+ DetectEngineInspectBufferGeneric, GetSshData);
+
+ DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+ g_ssh_hassh_server_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+}
\ No newline at end of file
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_SERVER_STRING_H__
+#define __DETECT_SSH_HASSH_SERVER_STRING_H__
+
+/* prototypes */
+void DetectSshHasshServerStringRegister (void);
+
+#endif /* __DETECT_SSH_HASSH_SERVER_STRING_H__ */
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+#include "stream-tcp.h"
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh-server.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh.server"
+#define KEYWORD_ALIAS "ssh-hassh-server"
+#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server"
+#define BUFFER_NAME "ssh.hassh.server"
+#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Servers"
+static int g_ssh_hassh_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f,
+ const uint8_t flow_flags, void *txv, const int list_id)
+{
+
+ SCEnter();
+
+ InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+ if (buffer->inspect == NULL) {
+ const uint8_t *hasshServer = NULL;
+ uint32_t b_len = 0;
+
+ if (rs_ssh_tx_get_hassh(txv, &hasshServer, &b_len, flow_flags) != 1)
+ return NULL;
+ if (hasshServer == NULL || b_len == 0) {
+ SCLogDebug("SSH hassh not set");
+ return NULL;
+ }
+
+ InspectionBufferSetup(buffer, hasshServer, b_len);
+ InspectionBufferApplyTransforms(buffer, transforms);
+ }
+
+ return buffer;
+}
+
+/**
+ * \brief this function setup the ssh.hassh.server modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s Pointer to the Signature to which the current keyword belongs
+ * \param str Should hold an empty string always
+ *
+ * \retval 0 On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshServerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+ if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0)
+ return -1;
+
+ if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+ return -1;
+
+ /* try to enable Hassh */
+ rs_ssh_enable_hassh();
+
+ /* Check if Hassh is disabled */
+ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER)) {
+ SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+ }
+ return -2;
+ }
+
+ return 0;
+
+}
+
+
+static _Bool DetectSshHasshServerHashValidateCallback(const Signature *s,
+ const char **sigerror)
+{
+ const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+ for ( ; sm != NULL; sm = sm->next)
+ {
+ if (sm->type != DETECT_CONTENT)
+ continue;
+
+ const DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+ if (cd->flags & DETECT_CONTENT_NOCASE) {
+ *sigerror = "ssh.hassh.server should not be used together with "
+ "nocase, since the rule is automatically "
+ "lowercased anyway which makes nocase redundant.";
+ SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+ }
+
+ if (cd->content_len != 32)
+ {
+ *sigerror = "Invalid length of the specified ssh.hassh.server (should "
+ "be 32 characters long). This rule will therefore "
+ "never match.";
+ SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+ return FALSE;
+ }
+ for (size_t i = 0; i < cd->content_len; ++i)
+ {
+ if(!isxdigit(cd->content[i]))
+ {
+ *sigerror = "Invalid ssh.hassh.server string (should be string of hexademical characters)."
+ "This rule will therefore never match.";
+ SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+ return FALSE;
+ }
+ }
+ }
+
+ return TRUE;
+}
+
+static void DetectSshHasshServerHashSetupCallback(const DetectEngineCtx *de_ctx,
+ Signature *s)
+{
+ SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+ for ( ; sm != NULL; sm = sm->next)
+ {
+ if (sm->type != DETECT_CONTENT)
+ continue;
+
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+ uint32_t u;
+ for (u = 0; u < cd->content_len; u++)
+ {
+ if (isupper(cd->content[u])) {
+ cd->content[u] = tolower(cd->content[u]);
+ }
+ }
+
+ SpmDestroyCtx(cd->spm_ctx);
+ cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
+ de_ctx->spm_global_thread_ctx);
+ }
+}
+
+/**
+ * \brief Registration function for hasshServer keyword.
+ */
+void DetectSshHasshServerRegister(void)
+{
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].RegisterTests = NULL;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup;
+ sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+ DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
+ PrefilterGenericMpmRegister, GetSshData,
+ ALPROTO_SSH, SshStateBannerDone);
+ DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
+ SIG_FLAG_TOCLIENT, SshStateBannerDone,
+ DetectEngineInspectBufferGeneric, GetSshData);
+ DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+ g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+
+ DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshServerHashSetupCallback);
+ DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshServerHashValidateCallback);
+}
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_SERVER_H__
+#define __DETECT_SSH_HASSH_SERVER_H__
+
+/* prototypes */
+void DetectSshHasshServerRegister (void);
+
+#endif /* __DETECT_SSH_HASSH_SERVER_H__ */
+
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+#include "stream-tcp.h"
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh-string.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh.string"
+#define KEYWORD_ALIAS "ssh-hassh-string"
+#define KEYWORD_DOC "ssh-keywords.html#hassh.string"
+#define BUFFER_NAME "ssh.hassh.string"
+#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Clients "
+static int g_ssh_hassh_string_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f,
+ const uint8_t flow_flags, void *txv, const int list_id)
+{
+
+ SCEnter();
+
+ InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+ if (buffer->inspect == NULL) {
+ const uint8_t *hassh = NULL;
+ uint32_t b_len = 0;
+
+ if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1)
+ return NULL;
+ if (hassh == NULL || b_len == 0) {
+ SCLogDebug("SSH hassh string is not set");
+ return NULL;
+ }
+
+ InspectionBufferSetup(buffer, hassh, b_len);
+ InspectionBufferApplyTransforms(buffer, transforms);
+ }
+
+ return buffer;
+}
+
+/**
+ * \brief this function setup the hassh.string modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s Pointer to the Signature to which the current keyword belongs
+ * \param str Should hold an empty string always
+ *
+ * \retval 0 On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+ if (DetectBufferSetActiveList(s, g_ssh_hassh_string_buffer_id) < 0)
+ return -1;
+
+ if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+ return -1;
+
+ /* try to enable Hassh */
+ rs_ssh_enable_hassh();
+
+ /* Check if Hassh is disabled */
+ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_STRING)) {
+ SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+ }
+ return -2;
+ }
+
+ return 0;
+
+}
+
+/**
+ * \brief Registration function for hassh.string keyword.
+ */
+void DetectSshHasshStringRegister(void)
+{
+ sigmatch_table[DETECT_AL_SSH_HASSH_STRING].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_AL_SSH_HASSH_STRING].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_AL_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_AL_SSH_HASSH_STRING].RegisterTests = NULL;
+ sigmatch_table[DETECT_AL_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_AL_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup;
+ sigmatch_table[DETECT_AL_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+
+ DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
+ PrefilterGenericMpmRegister, GetSshData,
+ ALPROTO_SSH, SshStateBannerDone);
+ DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
+ SIG_FLAG_TOSERVER, SshStateBannerDone,
+ DetectEngineInspectBufferGeneric, GetSshData);
+
+ DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+ g_ssh_hassh_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+}
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_STRING_H__
+#define __DETECT_SSH_HASSH_STRING_H__
+
+/* prototypes */
+void DetectSshHasshStringRegister (void);
+
+#endif /* __DETECT_SSH_HASSH_STRING_H__ */
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
+ */
+
+#include "suricata-common.h"
+#include "threads.h"
+#include "debug.h"
+#include "decode.h"
+
+#include "detect.h"
+#include "detect-parse.h"
+
+#include "detect-engine.h"
+#include "detect-engine-mpm.h"
+#include "detect-engine-state.h"
+#include "detect-engine-prefilter.h"
+
+#include "flow.h"
+#include "flow-var.h"
+#include "flow-util.h"
+
+#include "util-debug.h"
+#include "util-unittest.h"
+#include "util-unittest-helper.h"
+#include "stream-tcp.h"
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssh.h"
+#include "detect-ssh-hassh.h"
+#include "rust.h"
+
+
+#define KEYWORD_NAME "ssh.hassh"
+#define KEYWORD_ALIAS "ssh-hassh"
+#define KEYWORD_DOC "ssh-keywords.html#hassh"
+#define BUFFER_NAME "ssh.hassh"
+#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Clients "
+static int g_ssh_hassh_buffer_id = 0;
+
+
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+ const DetectEngineTransforms *transforms, Flow *_f,
+ const uint8_t flow_flags, void *txv, const int list_id)
+{
+
+ SCEnter();
+
+ InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
+
+ if (buffer->inspect == NULL) {
+ const uint8_t *hassh = NULL;
+ uint32_t b_len = 0;
+
+ if (rs_ssh_tx_get_hassh(txv, &hassh, &b_len, flow_flags) != 1)
+ return NULL;
+ if (hassh == NULL || b_len == 0) {
+ SCLogDebug("SSH hassh not set");
+ return NULL;
+ }
+
+ InspectionBufferSetup(buffer, hassh, b_len);
+ InspectionBufferApplyTransforms(buffer, transforms);
+ }
+
+ return buffer;
+}
+
+/**
+ * \brief this function setup the hassh modifier keyword used in the rule
+ *
+ * \param de_ctx Pointer to the Detection Engine Context
+ * \param s Pointer to the Signature to which the current keyword belongs
+ * \param str Should hold an empty string always
+ *
+ * \retval 0 On success
+ * \retval -1 On failure
+ * \retval -2 on failure that should be silent after the first
+ */
+static int DetectSshHasshSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
+{
+ if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0)
+ return -1;
+
+ if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+ return -1;
+
+ /* try to enable Hassh */
+ rs_ssh_enable_hassh();
+
+ /* Check if Hassh is disabled */
+ if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
+ if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH)) {
+ SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled");
+ }
+ return -2;
+ }
+
+ return 0;
+
+}
+
+
+static bool DetectSshHasshHashValidateCallback(const Signature *s,
+ const char **sigerror)
+{
+ const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+ for ( ; sm != NULL; sm = sm->next)
+ {
+ if (sm->type != DETECT_CONTENT)
+ continue;
+
+ const DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+ if (cd->flags & DETECT_CONTENT_NOCASE) {
+ *sigerror = "ssh.hassh should not be used together with "
+ "nocase, since the rule is automatically "
+ "lowercased anyway which makes nocase redundant.";
+ SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+ }
+
+ if (cd->content_len != 32)
+ {
+ *sigerror = "Invalid length of the specified ssh.hassh (should "
+ "be 32 characters long). This rule will therefore "
+ "never match.";
+ SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+ return FALSE;
+ }
+ for (size_t i = 0; i < cd->content_len; ++i)
+ {
+ if(!isxdigit(cd->content[i]))
+ {
+ *sigerror = "Invalid ssh.hassh string (should be string of hexademical characters)."
+ "This rule will therefore never match.";
+ SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror);
+ return FALSE;
+ }
+ }
+ }
+
+ return TRUE;
+}
+
+static void DetectSshHasshHashSetupCallback(const DetectEngineCtx *de_ctx,
+ Signature *s)
+{
+ SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id];
+ for ( ; sm != NULL; sm = sm->next)
+ {
+ if (sm->type != DETECT_CONTENT)
+ continue;
+
+ DetectContentData *cd = (DetectContentData *)sm->ctx;
+
+ uint32_t u;
+ for (u = 0; u < cd->content_len; u++)
+ {
+ if (isupper(cd->content[u])) {
+ cd->content[u] = tolower(cd->content[u]);
+ }
+ }
+
+ SpmDestroyCtx(cd->spm_ctx);
+ cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1,
+ de_ctx->spm_global_thread_ctx);
+ }
+}
+
+/**
+ * \brief Registration function for hassh keyword.
+ */
+void DetectSshHasshRegister(void)
+{
+ sigmatch_table[DETECT_AL_SSH_HASSH].name = KEYWORD_NAME;
+ sigmatch_table[DETECT_AL_SSH_HASSH].alias = KEYWORD_ALIAS;
+ sigmatch_table[DETECT_AL_SSH_HASSH].desc = BUFFER_NAME " sticky buffer";
+ sigmatch_table[DETECT_AL_SSH_HASSH].RegisterTests = NULL;
+ sigmatch_table[DETECT_AL_SSH_HASSH].url = "/rules/" KEYWORD_DOC;
+ sigmatch_table[DETECT_AL_SSH_HASSH].Setup = DetectSshHasshSetup;
+ sigmatch_table[DETECT_AL_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
+
+ DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
+ PrefilterGenericMpmRegister, GetSshData,
+ ALPROTO_SSH, SshStateBannerDone),
+ DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH,
+ SIG_FLAG_TOSERVER, SshStateBannerDone,
+ DetectEngineInspectBufferGeneric, GetSshData);
+ DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
+
+ g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+
+ DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshHashSetupCallback);
+ DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshHashValidateCallback);
+}
+
--- /dev/null
+/* Copyright (C) 2007-2020 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Malakhatko Vadym <v.malakhatko@sirinsoftware.com>
+ */
+
+#ifndef __DETECT_SSH_HASSH_H__
+#define __DETECT_SSH_HASSH_H__
+
+/* prototypes */
+void DetectSshHasshRegister (void);
+
+#endif /* __DETECT_SSH_HASSH_H__ */
CASE_CODE (SC_WARN_REGISTRATION_FAILED);
CASE_CODE (SC_ERR_ERF_BAD_RLEN);
CASE_CODE (SC_WARN_ERSPAN_CONFIG);
+ CASE_CODE (SC_WARN_HASSH_DISABLED);
CASE_CODE (SC_ERR_MAX);
}
SC_WARN_REGISTRATION_FAILED,
SC_ERR_ERF_BAD_RLEN,
SC_WARN_ERSPAN_CONFIG,
+ SC_WARN_HASSH_DISABLED,
SC_ERR_MAX
} SCError;
projects / thirdparty / suricata.git / commitdiff
