From: Vadym Malakhatko Date: Tue, 30 Jun 2020 10:20:52 +0000 (+0300) Subject: detect: add (mpm) hassh keywords X-Git-Tag: suricata-6.0.0-beta1~256 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=216a75c52233432b97b9dc424cbf62c98a335e87;p=thirdparty%2Fsuricata.git detect: add (mpm) hassh keywords Match on Hassh using ssh.hassh, ssh.hassh.server, ssh.hassh.string, ssh.hassh.server.string keywords, e.g: alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000010;) alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; sid:1000020;) alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; sid:1000030;) alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,"; sid:1000040;) --- diff --git a/src/Makefile.am b/src/Makefile.am index 927aa49855..1e84d85955 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -262,6 +262,10 @@ detect-ssh-proto.c detect-ssh-proto.h \ detect-ssh-proto-version.c detect-ssh-proto-version.h \ detect-ssh-software.c detect-ssh-software.h \ detect-ssh-software-version.c detect-ssh-software-version.h \ +detect-ssh-hassh.c detect-ssh-hassh.h \ +detect-ssh-hassh-server.c detect-ssh-hassh-server.h \ +detect-ssh-hassh-string.c detect-ssh-hassh-string.h \ +detect-ssh-hassh-server-string.c detect-ssh-hassh-server-string.h \ detect-smb-share.c detect-smb-share.h \ detect-ssl-state.c detect-ssl-state.h \ detect-ssl-version.c detect-ssl-version.h \ diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 320ce6d395..8f754d90d9 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -223,6 +223,10 @@ #include "detect-ssh-proto-version.h" #include "detect-ssh-software.h" #include "detect-ssh-software-version.h" +#include "detect-ssh-hassh.h" +#include "detect-ssh-hassh-server.h" +#include "detect-ssh-hassh-string.h" +#include "detect-ssh-hassh-server-string.h" #include "detect-http-stat-code.h" #include "detect-ssl-version.h" #include "detect-ssl-state.h" @@ -536,6 +540,10 @@ void SigTableSetup(void) DetectSshVersionRegister(); DetectSshSoftwareRegister(); DetectSshSoftwareVersionRegister(); + DetectSshHasshRegister(); + DetectSshHasshServerRegister(); + DetectSshHasshStringRegister(); + DetectSshHasshServerStringRegister(); DetectSslStateRegister(); DetectSslVersionRegister(); DetectByteExtractRegister(); diff --git a/src/detect-engine-register.h b/src/detect-engine-register.h index 842005814a..fe00c8ff5e 100644 --- a/src/detect-engine-register.h +++ b/src/detect-engine-register.h @@ -160,6 +160,10 @@ enum DetectKeywordId { DETECT_AL_SSH_PROTOVERSION, DETECT_AL_SSH_SOFTWARE, DETECT_AL_SSH_SOFTWAREVERSION, + DETECT_AL_SSH_HASSH, + DETECT_AL_SSH_HASSH_SERVER, + DETECT_AL_SSH_HASSH_STRING, + DETECT_AL_SSH_HASSH_SERVER_STRING, DETECT_AL_SSL_VERSION, DETECT_AL_SSL_STATE, DETECT_BYTE_EXTRACT, diff --git a/src/detect-ssh-hassh-server-string.c b/src/detect-ssh-hassh-server-string.c new file mode 100644 index 0000000000..583d08b90c --- /dev/null +++ b/src/detect-ssh-hassh-server-string.c @@ -0,0 +1,145 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Vadym Malakhatko + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" + +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-engine-prefilter.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" +#include "stream-tcp.h" +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "app-layer.h" +#include "app-layer-parser.h" +#include "app-layer-ssh.h" +#include "detect-ssh-hassh-server-string.h" +#include "rust.h" + + +#define KEYWORD_NAME "ssh.hassh.server.string" +#define KEYWORD_ALIAS "ssh-hassh-server-string" +#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server.string" +#define BUFFER_NAME "ssh.hassh.server.string" +#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Servers" +static int g_ssh_hassh_server_string_buffer_id = 0; + + +static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, + const uint8_t flow_flags, void *txv, const int list_id) +{ + + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + + if (buffer->inspect == NULL) { + const uint8_t *hassh = NULL; + uint32_t b_len = 0; + + if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1) + return NULL; + if (hassh == NULL || b_len == 0) { + SCLogDebug("SSH hassh string is not set"); + return NULL; + } + + InspectionBufferSetup(buffer, hassh, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + +/** + * \brief this function setup the ssh.hassh.server.string modifier keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + * \retval -1 On failure + * \retval -2 on failure that should be silent after the first + */ +static int DetectSshHasshServerStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) +{ + if (DetectBufferSetActiveList(s, g_ssh_hassh_server_string_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0) + return -1; + + /* try to enable Hassh */ + rs_ssh_enable_hassh(); + + /* Check if Hassh is disabled */ + if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER_STRING)) { + SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled"); + } + return -2; + } + + return 0; + +} + +/** + * \brief Registration function for hasshServer.string keyword. + */ +void DetectSshHasshServerStringRegister(void) +{ + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].name = KEYWORD_NAME; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].RegisterTests = NULL; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].Setup = DetectSshHasshServerStringSetup; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + + + DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, + PrefilterGenericMpmRegister, GetSshData, + ALPROTO_SSH, SshStateBannerDone); + DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, + SIG_FLAG_TOCLIENT, SshStateBannerDone, + DetectEngineInspectBufferGeneric, GetSshData); + + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + g_ssh_hassh_server_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); +} \ No newline at end of file diff --git a/src/detect-ssh-hassh-server-string.h b/src/detect-ssh-hassh-server-string.h new file mode 100644 index 0000000000..4c2adbb097 --- /dev/null +++ b/src/detect-ssh-hassh-server-string.h @@ -0,0 +1,30 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Malakhatko Vadym + */ + +#ifndef __DETECT_SSH_HASSH_SERVER_STRING_H__ +#define __DETECT_SSH_HASSH_SERVER_STRING_H__ + +/* prototypes */ +void DetectSshHasshServerStringRegister (void); + +#endif /* __DETECT_SSH_HASSH_SERVER_STRING_H__ */ diff --git a/src/detect-ssh-hassh-server.c b/src/detect-ssh-hassh-server.c new file mode 100644 index 0000000000..07d171e777 --- /dev/null +++ b/src/detect-ssh-hassh-server.c @@ -0,0 +1,213 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Vadym Malakhatko + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" + +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-engine-prefilter.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" +#include "stream-tcp.h" +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" + +#include "app-layer.h" +#include "app-layer-parser.h" +#include "app-layer-ssh.h" +#include "detect-ssh-hassh-server.h" +#include "rust.h" + + +#define KEYWORD_NAME "ssh.hassh.server" +#define KEYWORD_ALIAS "ssh-hassh-server" +#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server" +#define BUFFER_NAME "ssh.hassh.server" +#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Servers" +static int g_ssh_hassh_buffer_id = 0; + + +static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, + const uint8_t flow_flags, void *txv, const int list_id) +{ + + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + + if (buffer->inspect == NULL) { + const uint8_t *hasshServer = NULL; + uint32_t b_len = 0; + + if (rs_ssh_tx_get_hassh(txv, &hasshServer, &b_len, flow_flags) != 1) + return NULL; + if (hasshServer == NULL || b_len == 0) { + SCLogDebug("SSH hassh not set"); + return NULL; + } + + InspectionBufferSetup(buffer, hasshServer, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + +/** + * \brief this function setup the ssh.hassh.server modifier keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + * \retval -1 On failure + * \retval -2 on failure that should be silent after the first + */ +static int DetectSshHasshServerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) +{ + if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0) + return -1; + + /* try to enable Hassh */ + rs_ssh_enable_hassh(); + + /* Check if Hassh is disabled */ + if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER)) { + SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled"); + } + return -2; + } + + return 0; + +} + + +static _Bool DetectSshHasshServerHashValidateCallback(const Signature *s, + const char **sigerror) +{ + const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id]; + for ( ; sm != NULL; sm = sm->next) + { + if (sm->type != DETECT_CONTENT) + continue; + + const DetectContentData *cd = (DetectContentData *)sm->ctx; + + if (cd->flags & DETECT_CONTENT_NOCASE) { + *sigerror = "ssh.hassh.server should not be used together with " + "nocase, since the rule is automatically " + "lowercased anyway which makes nocase redundant."; + SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); + } + + if (cd->content_len != 32) + { + *sigerror = "Invalid length of the specified ssh.hassh.server (should " + "be 32 characters long). This rule will therefore " + "never match."; + SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); + return FALSE; + } + for (size_t i = 0; i < cd->content_len; ++i) + { + if(!isxdigit(cd->content[i])) + { + *sigerror = "Invalid ssh.hassh.server string (should be string of hexademical characters)." + "This rule will therefore never match."; + SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); + return FALSE; + } + } + } + + return TRUE; +} + +static void DetectSshHasshServerHashSetupCallback(const DetectEngineCtx *de_ctx, + Signature *s) +{ + SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id]; + for ( ; sm != NULL; sm = sm->next) + { + if (sm->type != DETECT_CONTENT) + continue; + + DetectContentData *cd = (DetectContentData *)sm->ctx; + + uint32_t u; + for (u = 0; u < cd->content_len; u++) + { + if (isupper(cd->content[u])) { + cd->content[u] = tolower(cd->content[u]); + } + } + + SpmDestroyCtx(cd->spm_ctx); + cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1, + de_ctx->spm_global_thread_ctx); + } +} + +/** + * \brief Registration function for hasshServer keyword. + */ +void DetectSshHasshServerRegister(void) +{ + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].name = KEYWORD_NAME; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].RegisterTests = NULL; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup; + sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + + DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, + PrefilterGenericMpmRegister, GetSshData, + ALPROTO_SSH, SshStateBannerDone); + DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, + SIG_FLAG_TOCLIENT, SshStateBannerDone, + DetectEngineInspectBufferGeneric, GetSshData); + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); + + DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshServerHashSetupCallback); + DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshServerHashValidateCallback); +} diff --git a/src/detect-ssh-hassh-server.h b/src/detect-ssh-hassh-server.h new file mode 100644 index 0000000000..6be1055ae1 --- /dev/null +++ b/src/detect-ssh-hassh-server.h @@ -0,0 +1,31 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Malakhatko Vadym + */ + +#ifndef __DETECT_SSH_HASSH_SERVER_H__ +#define __DETECT_SSH_HASSH_SERVER_H__ + +/* prototypes */ +void DetectSshHasshServerRegister (void); + +#endif /* __DETECT_SSH_HASSH_SERVER_H__ */ + diff --git a/src/detect-ssh-hassh-string.c b/src/detect-ssh-hassh-string.c new file mode 100644 index 0000000000..5ab6605d82 --- /dev/null +++ b/src/detect-ssh-hassh-string.c @@ -0,0 +1,145 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Vadym Malakhatko + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" + +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-engine-prefilter.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" + +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "stream-tcp.h" +#include "app-layer.h" +#include "app-layer-parser.h" +#include "app-layer-ssh.h" +#include "detect-ssh-hassh-string.h" +#include "rust.h" + + +#define KEYWORD_NAME "ssh.hassh.string" +#define KEYWORD_ALIAS "ssh-hassh-string" +#define KEYWORD_DOC "ssh-keywords.html#hassh.string" +#define BUFFER_NAME "ssh.hassh.string" +#define BUFFER_DESC "Ssh Client Key Exchange methods For ssh Clients " +static int g_ssh_hassh_string_buffer_id = 0; + + +static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, + const uint8_t flow_flags, void *txv, const int list_id) +{ + + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + + if (buffer->inspect == NULL) { + const uint8_t *hassh = NULL; + uint32_t b_len = 0; + + if (rs_ssh_tx_get_hassh_string(txv, &hassh, &b_len, flow_flags) != 1) + return NULL; + if (hassh == NULL || b_len == 0) { + SCLogDebug("SSH hassh string is not set"); + return NULL; + } + + InspectionBufferSetup(buffer, hassh, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + +/** + * \brief this function setup the hassh.string modifier keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + * \retval -1 On failure + * \retval -2 on failure that should be silent after the first + */ +static int DetectSshHasshStringSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) +{ + if (DetectBufferSetActiveList(s, g_ssh_hassh_string_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0) + return -1; + + /* try to enable Hassh */ + rs_ssh_enable_hassh(); + + /* Check if Hassh is disabled */ + if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_STRING)) { + SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled"); + } + return -2; + } + + return 0; + +} + +/** + * \brief Registration function for hassh.string keyword. + */ +void DetectSshHasshStringRegister(void) +{ + sigmatch_table[DETECT_AL_SSH_HASSH_STRING].name = KEYWORD_NAME; + sigmatch_table[DETECT_AL_SSH_HASSH_STRING].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_AL_SSH_HASSH_STRING].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_AL_SSH_HASSH_STRING].RegisterTests = NULL; + sigmatch_table[DETECT_AL_SSH_HASSH_STRING].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_AL_SSH_HASSH_STRING].Setup = DetectSshHasshStringSetup; + sigmatch_table[DETECT_AL_SSH_HASSH_STRING].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + + + DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, + PrefilterGenericMpmRegister, GetSshData, + ALPROTO_SSH, SshStateBannerDone); + DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, + SIG_FLAG_TOSERVER, SshStateBannerDone, + DetectEngineInspectBufferGeneric, GetSshData); + + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + g_ssh_hassh_string_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); +} diff --git a/src/detect-ssh-hassh-string.h b/src/detect-ssh-hassh-string.h new file mode 100644 index 0000000000..b3cebcd709 --- /dev/null +++ b/src/detect-ssh-hassh-string.h @@ -0,0 +1,30 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Vadym Malakhatko + */ + +#ifndef __DETECT_SSH_HASSH_STRING_H__ +#define __DETECT_SSH_HASSH_STRING_H__ + +/* prototypes */ +void DetectSshHasshStringRegister (void); + +#endif /* __DETECT_SSH_HASSH_STRING_H__ */ diff --git a/src/detect-ssh-hassh.c b/src/detect-ssh-hassh.c new file mode 100644 index 0000000000..8d482e7543 --- /dev/null +++ b/src/detect-ssh-hassh.c @@ -0,0 +1,215 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Vadym Malakhatko + */ + +#include "suricata-common.h" +#include "threads.h" +#include "debug.h" +#include "decode.h" + +#include "detect.h" +#include "detect-parse.h" + +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-engine-prefilter.h" + +#include "flow.h" +#include "flow-var.h" +#include "flow-util.h" + +#include "util-debug.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "stream-tcp.h" +#include "app-layer.h" +#include "app-layer-parser.h" +#include "app-layer-ssh.h" +#include "detect-ssh-hassh.h" +#include "rust.h" + + +#define KEYWORD_NAME "ssh.hassh" +#define KEYWORD_ALIAS "ssh-hassh" +#define KEYWORD_DOC "ssh-keywords.html#hassh" +#define BUFFER_NAME "ssh.hassh" +#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Clients " +static int g_ssh_hassh_buffer_id = 0; + + +static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx, + const DetectEngineTransforms *transforms, Flow *_f, + const uint8_t flow_flags, void *txv, const int list_id) +{ + + SCEnter(); + + InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id); + + if (buffer->inspect == NULL) { + const uint8_t *hassh = NULL; + uint32_t b_len = 0; + + if (rs_ssh_tx_get_hassh(txv, &hassh, &b_len, flow_flags) != 1) + return NULL; + if (hassh == NULL || b_len == 0) { + SCLogDebug("SSH hassh not set"); + return NULL; + } + + InspectionBufferSetup(buffer, hassh, b_len); + InspectionBufferApplyTransforms(buffer, transforms); + } + + return buffer; +} + +/** + * \brief this function setup the hassh modifier keyword used in the rule + * + * \param de_ctx Pointer to the Detection Engine Context + * \param s Pointer to the Signature to which the current keyword belongs + * \param str Should hold an empty string always + * + * \retval 0 On success + * \retval -1 On failure + * \retval -2 on failure that should be silent after the first + */ +static int DetectSshHasshSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg) +{ + if (DetectBufferSetActiveList(s, g_ssh_hassh_buffer_id) < 0) + return -1; + + if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0) + return -1; + + /* try to enable Hassh */ + rs_ssh_enable_hassh(); + + /* Check if Hassh is disabled */ + if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) { + if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH)) { + SCLogError(SC_WARN_HASSH_DISABLED, "hassh support is not enabled"); + } + return -2; + } + + return 0; + +} + + +static bool DetectSshHasshHashValidateCallback(const Signature *s, + const char **sigerror) +{ + const SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id]; + for ( ; sm != NULL; sm = sm->next) + { + if (sm->type != DETECT_CONTENT) + continue; + + const DetectContentData *cd = (DetectContentData *)sm->ctx; + + if (cd->flags & DETECT_CONTENT_NOCASE) { + *sigerror = "ssh.hassh should not be used together with " + "nocase, since the rule is automatically " + "lowercased anyway which makes nocase redundant."; + SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); + } + + if (cd->content_len != 32) + { + *sigerror = "Invalid length of the specified ssh.hassh (should " + "be 32 characters long). This rule will therefore " + "never match."; + SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); + return FALSE; + } + for (size_t i = 0; i < cd->content_len; ++i) + { + if(!isxdigit(cd->content[i])) + { + *sigerror = "Invalid ssh.hassh string (should be string of hexademical characters)." + "This rule will therefore never match."; + SCLogWarning(SC_WARN_POOR_RULE, "rule %u: %s", s->id, *sigerror); + return FALSE; + } + } + } + + return TRUE; +} + +static void DetectSshHasshHashSetupCallback(const DetectEngineCtx *de_ctx, + Signature *s) +{ + SigMatch *sm = s->init_data->smlists[g_ssh_hassh_buffer_id]; + for ( ; sm != NULL; sm = sm->next) + { + if (sm->type != DETECT_CONTENT) + continue; + + DetectContentData *cd = (DetectContentData *)sm->ctx; + + uint32_t u; + for (u = 0; u < cd->content_len; u++) + { + if (isupper(cd->content[u])) { + cd->content[u] = tolower(cd->content[u]); + } + } + + SpmDestroyCtx(cd->spm_ctx); + cd->spm_ctx = SpmInitCtx(cd->content, cd->content_len, 1, + de_ctx->spm_global_thread_ctx); + } +} + +/** + * \brief Registration function for hassh keyword. + */ +void DetectSshHasshRegister(void) +{ + sigmatch_table[DETECT_AL_SSH_HASSH].name = KEYWORD_NAME; + sigmatch_table[DETECT_AL_SSH_HASSH].alias = KEYWORD_ALIAS; + sigmatch_table[DETECT_AL_SSH_HASSH].desc = BUFFER_NAME " sticky buffer"; + sigmatch_table[DETECT_AL_SSH_HASSH].RegisterTests = NULL; + sigmatch_table[DETECT_AL_SSH_HASSH].url = "/rules/" KEYWORD_DOC; + sigmatch_table[DETECT_AL_SSH_HASSH].Setup = DetectSshHasshSetup; + sigmatch_table[DETECT_AL_SSH_HASSH].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT; + + + DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2, + PrefilterGenericMpmRegister, GetSshData, + ALPROTO_SSH, SshStateBannerDone), + DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, + SIG_FLAG_TOSERVER, SshStateBannerDone, + DetectEngineInspectBufferGeneric, GetSshData); + DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC); + + g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME); + + DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshHashSetupCallback); + DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshHashValidateCallback); +} + diff --git a/src/detect-ssh-hassh.h b/src/detect-ssh-hassh.h new file mode 100644 index 0000000000..07eb091258 --- /dev/null +++ b/src/detect-ssh-hassh.h @@ -0,0 +1,30 @@ +/* Copyright (C) 2007-2020 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Malakhatko Vadym + */ + +#ifndef __DETECT_SSH_HASSH_H__ +#define __DETECT_SSH_HASSH_H__ + +/* prototypes */ +void DetectSshHasshRegister (void); + +#endif /* __DETECT_SSH_HASSH_H__ */ diff --git a/src/util-error.c b/src/util-error.c index b4bcf54763..66339a5625 100644 --- a/src/util-error.c +++ b/src/util-error.c @@ -370,6 +370,7 @@ const char * SCErrorToString(SCError err) CASE_CODE (SC_WARN_REGISTRATION_FAILED); CASE_CODE (SC_ERR_ERF_BAD_RLEN); CASE_CODE (SC_WARN_ERSPAN_CONFIG); + CASE_CODE (SC_WARN_HASSH_DISABLED); CASE_CODE (SC_ERR_MAX); } diff --git a/src/util-error.h b/src/util-error.h index f8fac0d88e..8bc18b83f7 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -360,6 +360,7 @@ typedef enum { SC_WARN_REGISTRATION_FAILED, SC_ERR_ERF_BAD_RLEN, SC_WARN_ERSPAN_CONFIG, + SC_WARN_HASSH_DISABLED, SC_ERR_MAX } SCError;