From: Philippe Antoine Date: Tue, 26 May 2020 06:46:24 +0000 (+0200) Subject: ssh: handles incomplete record after banner X-Git-Tag: suricata-6.0.0-beta1~401 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6373071aa3a79579b45884a0bb21452d0641fbcf;p=thirdparty%2Fsuricata.git ssh: handles incomplete record after banner To signal incomplete data, we must return the number of consumed bytes. When we get a banner and some records, we have to take into account the number of bytes already consumed by the banner parsing before reaching an incomplete record. --- diff --git a/rust/src/ssh/ssh.rs b/rust/src/ssh/ssh.rs index eba07c63c6..1f8601ecf8 100644 --- a/rust/src/ssh/ssh.rs +++ b/rust/src/ssh/ssh.rs @@ -224,7 +224,16 @@ impl SSHState { if hdr.flags == SSHConnectionState::SshStateBannerWaitEol { match parser::ssh_parse_line(input) { Ok((rem, _)) => { - return self.parse_record(rem, resp, pstate); + let r = self.parse_record(rem, resp, pstate); + if r.status == 1 { + //adds bytes consumed by banner to incomplete result + return AppLayerResult::incomplete( + r.consumed + (input.len() - rem.len()) as u32, + r.needed, + ); + } else { + return r; + } } Err(nom::Err::Incomplete(_)) => { return AppLayerResult::incomplete(0 as u32, (input.len() + 1) as u32); @@ -257,7 +266,16 @@ impl SSHState { ); self.set_event(SSHEvent::LongBanner); } - return self.parse_record(rem, resp, pstate); + let r = self.parse_record(rem, resp, pstate); + if r.status == 1 { + //adds bytes consumed by banner to incomplete result + return AppLayerResult::incomplete( + r.consumed + (input.len() - rem.len()) as u32, + r.needed, + ); + } else { + return r; + } } Err(nom::Err::Incomplete(_)) => { if input.len() < SSH_MAX_BANNER_LEN {