static pcre_extra *parse_regex_study;
static int DetectSshVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
- Flow *, uint8_t, void *,
- const Signature *, const SigMatchData *);
+ Flow *, uint8_t, void *, void *,
+ const Signature *, const SigMatchCtx *);
static int DetectSshVersionSetup (DetectEngineCtx *, Signature *, char *);
-void DetectSshVersionRegisterTests(void);
-void DetectSshVersionFree(void *);
+static void DetectSshVersionRegisterTests(void);
+static void DetectSshVersionFree(void *);
+static int g_ssh_banner_list_id = 0;
/**
* \brief Registration function for keyword: ssh.protoversion
void DetectSshVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion";
- sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Match = NULL;
- sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerMatch = DetectSshVersionMatch;
+ sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerTxMatch = DetectSshVersionMatch;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree;
sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
+
+ g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
}
/**
* \retval 1 match
*/
static int DetectSshVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- const Signature *s, const SigMatchData *m)
+ Flow *f, uint8_t flags, void *state, void *txv,
+ const Signature *s, const SigMatchCtx *m)
{
SCEnter();
- DetectSshVersionData *ssh = (DetectSshVersionData *)m->ctx;
+ DetectSshVersionData *ssh = (DetectSshVersionData *)m;
SshState *ssh_state = (SshState *)state;
if (ssh_state == NULL) {
SCLogDebug("no ssh state, no match");
DetectSshVersionData *ssh = NULL;
SigMatch *sm = NULL;
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ return -1;
+ }
+
ssh = DetectSshVersionParse(str);
if (ssh == NULL)
goto error;
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
-
sm->type = DETECT_AL_SSH_PROTOVERSION;
sm->ctx = (void *)ssh;
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+ SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_SSH;
-/* Copyright (C) 2007-2014 Open Information Security Foundation
+/* Copyright (C) 2007-2016 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
static pcre_extra *parse_regex_study;
static int DetectSshSoftwareVersionMatch (ThreadVars *, DetectEngineThreadCtx *,
- Flow *, uint8_t, void *,
- const Signature *, const SigMatchData *);
+ Flow *, uint8_t, void *, void *,
+ const Signature *, const SigMatchCtx *);
static int DetectSshSoftwareVersionSetup (DetectEngineCtx *, Signature *, char *);
-void DetectSshSoftwareVersionRegisterTests(void);
-void DetectSshSoftwareVersionFree(void *);
-void DetectSshSoftwareVersionRegister(void);
+static void DetectSshSoftwareVersionRegisterTests(void);
+static void DetectSshSoftwareVersionFree(void *);
+static int g_ssh_banner_list_id = 0;
+
+static int InspectSshBanner(ThreadVars *tv,
+ DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
+ const Signature *s, const SigMatchData *smd,
+ Flow *f, uint8_t flags, void *alstate,
+ void *txv, uint64_t tx_id)
+{
+ return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd,
+ f, flags, alstate, txv, tx_id);
+}
/**
* \brief Registration function for keyword: ssh.softwareversion
void DetectSshSoftwareVersionRegister(void)
{
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion";
- sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Match = NULL;
- sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerMatch = DetectSshSoftwareVersionMatch;
+ sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree;
sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests;
DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study);
+
+ g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner");
+
+ DetectAppLayerInspectEngineRegister("ssh_banner",
+ ALPROTO_SSH, SIG_FLAG_TOSERVER, InspectSshBanner);
+ DetectAppLayerInspectEngineRegister("ssh_banner",
+ ALPROTO_SSH, SIG_FLAG_TOCLIENT, InspectSshBanner);
}
/**
* \retval 1 match
*/
static int DetectSshSoftwareVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
- Flow *f, uint8_t flags, void *state,
- const Signature *s, const SigMatchData *m)
+ Flow *f, uint8_t flags, void *state, void *txv,
+ const Signature *s, const SigMatchCtx *m)
{
SCEnter();
- DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m->ctx;
+ DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m;
SshState *ssh_state = (SshState *)state;
if (ssh_state == NULL) {
SCLogDebug("no ssh state, no match");
DetectSshSoftwareVersionData *ssh = NULL;
SigMatch *sm = NULL;
+ if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
+ SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
+ return -1;
+ }
+
ssh = DetectSshSoftwareVersionParse(str);
if (ssh == NULL)
goto error;
if (sm == NULL)
goto error;
- if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
- SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
- goto error;
- }
-
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
sm->ctx = (void *)ssh;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_SSH;
- SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
+ SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
return 0;
*
* \param id_d pointer to DetectSshSoftwareVersionData
*/
-void DetectSshSoftwareVersionFree(void *ptr)
+static void DetectSshSoftwareVersionFree(void *ptr)
{
if (ptr == NULL)
return;
* \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse
* a software version correctly
*/
-int DetectSshSoftwareVersionTestParse01 (void)
+static int DetectSshSoftwareVersionTestParse01 (void)
{
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("PuTTY_1.0");
* \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse
* the software version correctly
*/
-int DetectSshSoftwareVersionTestParse02 (void)
+static int DetectSshSoftwareVersionTestParse02 (void)
{
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("\"SecureCRT-4.0\"");
* \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we
* don't return a ssh_data with an empty value specified
*/
-int DetectSshSoftwareVersionTestParse03 (void)
+static int DetectSshSoftwareVersionTestParse03 (void)
{
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("");
/**
* \brief this function registers unit tests for DetectSshSoftwareVersion
*/
-void DetectSshSoftwareVersionRegisterTests(void)
+static void DetectSshSoftwareVersionRegisterTests(void)
{
#ifdef UNITTESTS /* UNITTESTS */
UtRegisterTest("DetectSshSoftwareVersionTestParse01",
projects / thirdparty / suricata.git / commitdiff
