From: Philippe Antoine Date: Mon, 28 Apr 2025 12:23:03 +0000 (+0200) Subject: lua: convert hassh function into suricata.hassh lib X-Git-Tag: suricata-8.0.0-rc1~401 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13117%2Fhead;p=thirdparty%2Fsuricata.git lua: convert hassh function into suricata.hassh lib Ticket: 7603 We use suricata.ssh lib but also enable hassh. --- diff --git a/doc/userguide/lua/libs/ssh.rst b/doc/userguide/lua/libs/ssh.rst index 651bd67296..5b3a9b4956 100644 --- a/doc/userguide/lua/libs/ssh.rst +++ b/doc/userguide/lua/libs/ssh.rst @@ -6,6 +6,16 @@ SSH transaction details are exposes to Lua scripts with the local ssh = require("suricata.ssh") +If you want to use hassh, you can either set suricata.yaml option +``app-layer.protocols.ssh.hassh`` to true, +or specify it in the ``init`` function of your lua script +by calling ``ssh.enable_hassh()``:: + + function init (args) + ssh.enable_hassh() + return {} + end + For use in rule matching, the rule must **hook** into a SSH transaction state. Available states are listed in :ref:`ssh-hooks`. For example: @@ -95,3 +105,56 @@ Example:: local tx = ssh.get_tx() local software = tx:client_software(); print (software) + +``client_hassh()`` +^^^^^^^^^^^^^^^^^^ + +Should be used with ``ssh.enable_hassh()``. + +Get MD5 of hassh algorithms used by the client through client_hassh. + +Example:: + + local tx = ssh.get_tx() + local h = tx:client_hassh(); + print (h) + + +``client_hassh_string()`` +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Should be used with ``ssh.enable_hassh()``. + +Get hassh algorithms used by the client through client_hassh_string. + +Example:: + + local tx = ssh.get_tx() + local h = tx:client_hassh_string(); + print (h) + +``server_hassh()`` +^^^^^^^^^^^^^^^^^^ + +Should be used with ``ssh.enable_hassh()``. + +Get MD5 of hassh algorithms used by the server through server_hassh. + +Example:: + + local tx = ssh.get_tx() + local h = tx:server_hassh(); + print (h) + +``server_hassh_string()`` +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Should be used with ``ssh.enable_hassh()``. + +Get hassh algorithms used by the server through server_hassh_string. + +Example:: + + local tx = ssh.get_tx() + local h = tx:server_hassh_string(); + print (h) diff --git a/doc/userguide/lua/lua-functions.rst b/doc/userguide/lua/lua-functions.rst index 120b2ad01e..9cecddf57c 100644 --- a/doc/userguide/lua/lua-functions.rst +++ b/doc/userguide/lua/lua-functions.rst @@ -468,84 +468,6 @@ Or, for detection: return 0 end -SSH ---- - -Initialize with: - -:: - - function init (args) - local needs = {} - needs["protocol"] = "ssh" - return needs - end - -HasshGet -~~~~~~~~ - -Get MD5 of hassh algorithms used by the client through HasshGet. - -Example: - -:: - - function log (args) - hassh = HasshGet() - if hassh == nil then - return 0 - end - end - -HasshGetString -~~~~~~~~~~~~~~ - -Get hassh algorithms used by the client through HasshGetString. - -Example: - -:: - - function log (args) - hassh_string = HasshGetString() - if hassh == nil then - return 0 - end - end - -HasshServerGet -~~~~~~~~~~~~~~ - -Get MD5 of hassh algorithms used by the server through HasshServerGet. - -Example: - -:: - - function log (args) - hassh_string = HasshServerGet() - if hassh == nil then - return 0 - end - end - -HasshServerGetString -~~~~~~~~~~~~~~~~~~~~ - -Get hassh algorithms used by the server through HasshServerGetString. - -Example: - -:: - - function log (args) - hassh_string = HasshServerGetString() - if hassh == nil then - return 0 - end - end - - Files ----- diff --git a/src/Makefile.am b/src/Makefile.am index 31975ed1f7..c3b6a6c774 100755 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -530,7 +530,6 @@ noinst_HEADERS = \ util-lua-flowvarlib.h \ util-lua.h \ util-lua-hashlib.h \ - util-lua-hassh.h \ util-lua-http.h \ util-lua-ja3.h \ util-lua-packetlib.h \ @@ -1099,7 +1098,6 @@ libsuricata_c_a_SOURCES = \ util-lua-flowlib.c \ util-lua-flowvarlib.c \ util-lua-hashlib.c \ - util-lua-hassh.c \ util-lua-http.c \ util-lua-ja3.c \ util-lua-packetlib.c \ diff --git a/src/detect-lua-extensions.c b/src/detect-lua-extensions.c index dd6a9736b3..e92ca9c3bf 100644 --- a/src/detect-lua-extensions.c +++ b/src/detect-lua-extensions.c @@ -42,7 +42,6 @@ #include "util-lua-http.h" #include "util-lua-ja3.h" #include "util-lua-tls.h" -#include "util-lua-hassh.h" #include "util-lua-smtp.h" #include "util-lua-dnp3.h" #include "detect-lua-extensions.h" @@ -327,7 +326,6 @@ int LuaRegisterExtensions(lua_State *lua_state) LuaRegisterFunctions(lua_state); LuaRegisterJa3Functions(lua_state); LuaRegisterTlsFunctions(lua_state); - LuaRegisterHasshFunctions(lua_state); LuaRegisterSmtpFunctions(lua_state); return 0; } diff --git a/src/output-lua.c b/src/output-lua.c index f35adcf52e..199c8fcc15 100644 --- a/src/output-lua.c +++ b/src/output-lua.c @@ -38,7 +38,6 @@ #include "util-lua-http.h" #include "util-lua-ja3.h" #include "util-lua-tls.h" -#include "util-lua-hassh.h" #include "util-lua-smtp.h" #define MODULE_NAME "LuaLog" @@ -591,7 +590,6 @@ static lua_State *LuaScriptSetup(const char *filename, LogLuaMasterCtx *ctx) LuaRegisterFunctions(luastate); LuaRegisterJa3Functions(luastate); LuaRegisterTlsFunctions(luastate); - LuaRegisterHasshFunctions(luastate); LuaRegisterSmtpFunctions(luastate); if (lua_pcall(luastate, 0, 0, 0) != 0) { diff --git a/src/util-lua-hassh.c b/src/util-lua-hassh.c deleted file mode 100644 index 752a178de7..0000000000 --- a/src/util-lua-hassh.c +++ /dev/null @@ -1,215 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - - -/** - * \file - * - * \author Vadym Malakhatko - * - */ - -#include "suricata-common.h" -#include "detect.h" -#include "pkt-var.h" -#include "conf.h" - -#include "threads.h" -#include "threadvars.h" -#include "tm-threads.h" - -#include "util-print.h" -#include "util-unittest.h" - -#include "util-debug.h" - -#include "output.h" -#include "app-layer.h" -#include "app-layer-parser.h" -#include "app-layer-ssl.h" -#include "util-privs.h" -#include "util-buffer.h" -#include "util-proto-name.h" -#include "util-logopenfile.h" -#include "util-time.h" - -#include "lua.h" -#include "lualib.h" -#include "lauxlib.h" - -#include "util-lua.h" -#include "util-lua-common.h" -#include "util-lua-hassh.h" - -static int GetHasshServerString(lua_State *luastate, const Flow *f) -{ - void *state = FlowGetAppState(f); - if (state == NULL) - return LuaCallbackError(luastate, "error: no app layer state"); - - const uint8_t *hassh_server_string = NULL; - uint32_t b_len = 0; - - void *tx = SCSshStateGetTx(state, 0); - if (SCSshTxGetHasshString(tx, &hassh_server_string, &b_len, STREAM_TOCLIENT) != 1) - return LuaCallbackError(luastate, "error: no server hassh string"); - if (hassh_server_string == NULL || b_len == 0) { - return LuaCallbackError(luastate, "error: no server hassh string"); - } - - return LuaPushStringBuffer(luastate, hassh_server_string, b_len); -} - -static int HasshServerGetString(lua_State *luastate) -{ - int r; - - if (!(LuaStateNeedProto(luastate, ALPROTO_SSH))) - return LuaCallbackError(luastate, "error: protocol is not ssh"); - - Flow *f = LuaStateGetFlow(luastate); - if (f == NULL) - return LuaCallbackError(luastate, "internal error: no ssh flow"); - - r = GetHasshServerString(luastate, f); - - return r; -} - -static int GetHasshServer(lua_State *luastate, const Flow *f) -{ - void *state = FlowGetAppState(f); - if (state == NULL) - return LuaCallbackError(luastate, "error: no ssh app layer state"); - - const uint8_t *hassh_server = NULL; - uint32_t b_len = 0; - - void *tx = SCSshStateGetTx(state, 0); - if (SCSshTxGetHassh(tx, &hassh_server, &b_len, STREAM_TOCLIENT) != 1) - return LuaCallbackError(luastate, "error: no server hassh"); - if (hassh_server == NULL || b_len == 0) { - return LuaCallbackError(luastate, "error: no server hassh"); - } - - return LuaPushStringBuffer(luastate, hassh_server, b_len); -} - -static int HasshServerGet(lua_State *luastate) -{ - int r; - - if (!(LuaStateNeedProto(luastate, ALPROTO_SSH))) - return LuaCallbackError(luastate, "error: protocol is not ssh"); - - Flow *f = LuaStateGetFlow(luastate); - if (f == NULL) - return LuaCallbackError(luastate, "internal error: no ssh flow"); - - r = GetHasshServer(luastate, f); - - return r; -} - -static int GetHasshString(lua_State *luastate, const Flow *f) -{ - void *state = FlowGetAppState(f); - if (state == NULL) - return LuaCallbackError(luastate, "error: no app layer state"); - - const uint8_t *hassh_string = NULL; - uint32_t b_len = 0; - - void *tx = SCSshStateGetTx(state, 0); - if (SCSshTxGetHasshString(tx, &hassh_string, &b_len, STREAM_TOSERVER) != 1) - return LuaCallbackError(luastate, "error: no client hassh_string"); - if (hassh_string == NULL || b_len == 0) { - return LuaCallbackError(luastate, "error: no client hassh_string"); - } - - return LuaPushStringBuffer(luastate, hassh_string, b_len); -} - -static int HasshGetString(lua_State *luastate) -{ - int r; - - if (!(LuaStateNeedProto(luastate, ALPROTO_SSH))) - return LuaCallbackError(luastate, "error: protocol is not ssh"); - - Flow *f = LuaStateGetFlow(luastate); - if (f == NULL) - return LuaCallbackError(luastate, "internal error: no ssh flow"); - - r = GetHasshString(luastate, f); - - return r; -} - -static int GetHassh(lua_State *luastate, const Flow *f) -{ - void *state = FlowGetAppState(f); - if (state == NULL) - return LuaCallbackError(luastate, "error: no app layer state"); - - const uint8_t *hassh = NULL; - uint32_t b_len = 0; - - void *tx = SCSshStateGetTx(state, 0); - if (SCSshTxGetHassh(tx, &hassh, &b_len, STREAM_TOSERVER) != 1) - return LuaCallbackError(luastate, "error: no client hassh"); - if (hassh == NULL || b_len == 0) { - return LuaCallbackError(luastate, "error: no client hassh"); - } - - return LuaPushStringBuffer(luastate, hassh, b_len); -} - -static int HasshGet(lua_State *luastate) -{ - int r; - - if (!(LuaStateNeedProto(luastate, ALPROTO_SSH))) - return LuaCallbackError(luastate, "error: protocol is not ssh"); - - Flow *f = LuaStateGetFlow(luastate); - if (f == NULL) - return LuaCallbackError(luastate, "internal error: no sshflow"); - - r = GetHassh(luastate, f); - - return r; -} - -/** *\brief Register Hassh Lua extensions */ -int LuaRegisterHasshFunctions(lua_State *luastate) -{ - - lua_pushcfunction(luastate, HasshGet); - lua_setglobal(luastate, "HasshGet"); - - lua_pushcfunction(luastate, HasshGetString); - lua_setglobal(luastate, "HasshGetString"); - - lua_pushcfunction(luastate, HasshServerGet); - lua_setglobal(luastate, "HasshServerGet"); - - lua_pushcfunction(luastate, HasshServerGetString); - lua_setglobal(luastate, "HasshServerGetString"); - - return 0; -} diff --git a/src/util-lua-hassh.h b/src/util-lua-hassh.h deleted file mode 100644 index d5156663e3..0000000000 --- a/src/util-lua-hassh.h +++ /dev/null @@ -1,29 +0,0 @@ -/* Copyright (C) 2020 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file - * - * \author Vadym Malakhatko - */ - -#ifndef SURICATA_UTIL_LUA_HASSH_H -#define SURICATA_UTIL_LUA_HASSH_H - -int LuaRegisterHasshFunctions(lua_State *luastate); - -#endif /* SURICATA_UTIL_LUA_HASSH_H */ diff --git a/src/util-lua-ssh.c b/src/util-lua-ssh.c index 3332cc8ae5..e7ce5e3149 100644 --- a/src/util-lua-ssh.c +++ b/src/util-lua-ssh.c @@ -109,19 +109,82 @@ static int LuaSshTxGetClientSoftware(lua_State *L) return LuaSshTxGetSoftware(L, STREAM_TOSERVER); } +static int LuaSshTxGetHassh(lua_State *L, uint8_t flags) +{ + const uint8_t *buf = NULL; + uint32_t b_len = 0; + struct LuaTx *ltx = luaL_testudata(L, 1, ssh_tx); + if (ltx == NULL) { + lua_pushnil(L); + return 1; + } + if (SCSshTxGetHassh(ltx->tx, &buf, &b_len, flags) != 1) { + lua_pushnil(L); + return 1; + } + return LuaPushStringBuffer(L, buf, b_len); +} + +static int LuaSshTxGetClientHassh(lua_State *L) +{ + return LuaSshTxGetHassh(L, STREAM_TOSERVER); +} + +static int LuaSshTxGetServerHassh(lua_State *L) +{ + return LuaSshTxGetHassh(L, STREAM_TOCLIENT); +} + +static int LuaSshTxGetHasshString(lua_State *L, uint8_t flags) +{ + const uint8_t *buf = NULL; + uint32_t b_len = 0; + struct LuaTx *ltx = luaL_testudata(L, 1, ssh_tx); + if (ltx == NULL) { + lua_pushnil(L); + return 1; + } + if (SCSshTxGetHasshString(ltx->tx, &buf, &b_len, flags) != 1) { + lua_pushnil(L); + return 1; + } + return LuaPushStringBuffer(L, buf, b_len); +} + +static int LuaSshTxGetClientHasshString(lua_State *L) +{ + return LuaSshTxGetHasshString(L, STREAM_TOSERVER); +} + +static int LuaSshTxGetServerHasshString(lua_State *L) +{ + return LuaSshTxGetHasshString(L, STREAM_TOCLIENT); +} + static const struct luaL_Reg txlib[] = { // clang-format off { "server_proto", LuaSshTxGetServerProto }, { "server_software", LuaSshTxGetServerSoftware }, { "client_proto", LuaSshTxGetClientProto }, { "client_software", LuaSshTxGetClientSoftware }, + { "client_hassh", LuaSshTxGetClientHassh }, + { "server_hassh", LuaSshTxGetServerHassh }, + { "client_hassh_string", LuaSshTxGetClientHasshString }, + { "server_hassh_string", LuaSshTxGetServerHasshString }, { NULL, NULL, } // clang-format on }; +static int LuaSshEnableHassh(lua_State *L) +{ + SCSshEnableHassh(); + return 1; +} + static const struct luaL_Reg sshlib[] = { // clang-format off { "get_tx", LuaSshGetTx }, + { "enable_hassh", LuaSshEnableHassh }, { NULL, NULL,}, // clang-format on };