From a10b2fdecfee1a92fdbaa170cc1d53730a1ade3d Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 22 Dec 2016 13:07:06 +0100 Subject: [PATCH] detect: make ssh detection use dynamic list --- src/detect-lua.c | 3 +- src/detect-ssh-proto-version.c | 32 +++++++++-------- src/detect-ssh-software-version.c | 60 +++++++++++++++++++------------ src/detect-ssh-software-version.h | 1 - 4 files changed, 57 insertions(+), 39 deletions(-) diff --git a/src/detect-lua.c b/src/detect-lua.c index d3889d8e27..4d80841623 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -1036,7 +1036,8 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str) int list = DetectBufferTypeGetByName("tls_generic"); SigMatchAppendSMToList(s, sm, list); } else if (lua->alproto == ALPROTO_SSH) { - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); + int list = DetectBufferTypeGetByName("ssh_banner"); + SigMatchAppendSMToList(s, sm, list); } else if (lua->alproto == ALPROTO_SMTP) { SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); } else if (lua->alproto == ALPROTO_DNP3) { diff --git a/src/detect-ssh-proto-version.c b/src/detect-ssh-proto-version.c index 96b8c40ec5..ebf8ce0c64 100644 --- a/src/detect-ssh-proto-version.c +++ b/src/detect-ssh-proto-version.c @@ -63,11 +63,12 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; static int DetectSshVersionMatch (ThreadVars *, DetectEngineThreadCtx *, - Flow *, uint8_t, void *, - const Signature *, const SigMatchData *); + Flow *, uint8_t, void *, void *, + const Signature *, const SigMatchCtx *); static int DetectSshVersionSetup (DetectEngineCtx *, Signature *, char *); -void DetectSshVersionRegisterTests(void); -void DetectSshVersionFree(void *); +static void DetectSshVersionRegisterTests(void); +static void DetectSshVersionFree(void *); +static int g_ssh_banner_list_id = 0; /** * \brief Registration function for keyword: ssh.protoversion @@ -75,13 +76,14 @@ void DetectSshVersionFree(void *); void DetectSshVersionRegister(void) { sigmatch_table[DETECT_AL_SSH_PROTOVERSION].name = "ssh.protoversion"; - sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Match = NULL; - sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerMatch = DetectSshVersionMatch; + sigmatch_table[DETECT_AL_SSH_PROTOVERSION].AppLayerTxMatch = DetectSshVersionMatch; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Setup = DetectSshVersionSetup; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].Free = DetectSshVersionFree; sigmatch_table[DETECT_AL_SSH_PROTOVERSION].RegisterTests = DetectSshVersionRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); + + g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner"); } /** @@ -96,12 +98,12 @@ void DetectSshVersionRegister(void) * \retval 1 match */ static int DetectSshVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - const Signature *s, const SigMatchData *m) + Flow *f, uint8_t flags, void *state, void *txv, + const Signature *s, const SigMatchCtx *m) { SCEnter(); - DetectSshVersionData *ssh = (DetectSshVersionData *)m->ctx; + DetectSshVersionData *ssh = (DetectSshVersionData *)m; SshState *ssh_state = (SshState *)state; if (ssh_state == NULL) { SCLogDebug("no ssh state, no match"); @@ -215,6 +217,11 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s DetectSshVersionData *ssh = NULL; SigMatch *sm = NULL; + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + return -1; + } + ssh = DetectSshVersionParse(str); if (ssh == NULL) goto error; @@ -225,15 +232,10 @@ static int DetectSshVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *s if (sm == NULL) goto error; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } - sm->type = DETECT_AL_SSH_PROTOVERSION; sm->ctx = (void *)ssh; - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); + SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id); s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_SSH; diff --git a/src/detect-ssh-software-version.c b/src/detect-ssh-software-version.c index 3032b0e6bf..7ab8ecffca 100644 --- a/src/detect-ssh-software-version.c +++ b/src/detect-ssh-software-version.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2014 Open Information Security Foundation +/* Copyright (C) 2007-2016 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -67,12 +67,22 @@ static pcre *parse_regex; static pcre_extra *parse_regex_study; static int DetectSshSoftwareVersionMatch (ThreadVars *, DetectEngineThreadCtx *, - Flow *, uint8_t, void *, - const Signature *, const SigMatchData *); + Flow *, uint8_t, void *, void *, + const Signature *, const SigMatchCtx *); static int DetectSshSoftwareVersionSetup (DetectEngineCtx *, Signature *, char *); -void DetectSshSoftwareVersionRegisterTests(void); -void DetectSshSoftwareVersionFree(void *); -void DetectSshSoftwareVersionRegister(void); +static void DetectSshSoftwareVersionRegisterTests(void); +static void DetectSshSoftwareVersionFree(void *); +static int g_ssh_banner_list_id = 0; + +static int InspectSshBanner(ThreadVars *tv, + DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, + const Signature *s, const SigMatchData *smd, + Flow *f, uint8_t flags, void *alstate, + void *txv, uint64_t tx_id) +{ + return DetectEngineInspectGenericList(tv, de_ctx, det_ctx, s, smd, + f, flags, alstate, txv, tx_id); +} /** * \brief Registration function for keyword: ssh.softwareversion @@ -80,13 +90,19 @@ void DetectSshSoftwareVersionRegister(void); void DetectSshSoftwareVersionRegister(void) { sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].name = "ssh.softwareversion"; - sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Match = NULL; - sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerMatch = DetectSshSoftwareVersionMatch; + sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].AppLayerTxMatch = DetectSshSoftwareVersionMatch; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Setup = DetectSshSoftwareVersionSetup; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].Free = DetectSshSoftwareVersionFree; sigmatch_table[DETECT_AL_SSH_SOFTWAREVERSION].RegisterTests = DetectSshSoftwareVersionRegisterTests; DetectSetupParseRegexes(PARSE_REGEX, &parse_regex, &parse_regex_study); + + g_ssh_banner_list_id = DetectBufferTypeRegister("ssh_banner"); + + DetectAppLayerInspectEngineRegister("ssh_banner", + ALPROTO_SSH, SIG_FLAG_TOSERVER, InspectSshBanner); + DetectAppLayerInspectEngineRegister("ssh_banner", + ALPROTO_SSH, SIG_FLAG_TOCLIENT, InspectSshBanner); } /** @@ -101,12 +117,12 @@ void DetectSshSoftwareVersionRegister(void) * \retval 1 match */ static int DetectSshSoftwareVersionMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, - Flow *f, uint8_t flags, void *state, - const Signature *s, const SigMatchData *m) + Flow *f, uint8_t flags, void *state, void *txv, + const Signature *s, const SigMatchCtx *m) { SCEnter(); - DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m->ctx; + DetectSshSoftwareVersionData *ssh = (DetectSshSoftwareVersionData *)m; SshState *ssh_state = (SshState *)state; if (ssh_state == NULL) { SCLogDebug("no ssh state, no match"); @@ -196,6 +212,11 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, DetectSshSoftwareVersionData *ssh = NULL; SigMatch *sm = NULL; + if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) { + SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); + return -1; + } + ssh = DetectSshSoftwareVersionParse(str); if (ssh == NULL) goto error; @@ -206,18 +227,13 @@ static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, if (sm == NULL) goto error; - if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) { - SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords."); - goto error; - } - sm->type = DETECT_AL_SSH_SOFTWAREVERSION; sm->ctx = (void *)ssh; s->flags |= SIG_FLAG_APPLAYER; s->alproto = ALPROTO_SSH; - SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH); + SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id); return 0; @@ -235,7 +251,7 @@ error: * * \param id_d pointer to DetectSshSoftwareVersionData */ -void DetectSshSoftwareVersionFree(void *ptr) +static void DetectSshSoftwareVersionFree(void *ptr) { if (ptr == NULL) return; @@ -252,7 +268,7 @@ void DetectSshSoftwareVersionFree(void *ptr) * \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse * a software version correctly */ -int DetectSshSoftwareVersionTestParse01 (void) +static int DetectSshSoftwareVersionTestParse01 (void) { DetectSshSoftwareVersionData *ssh = NULL; ssh = DetectSshSoftwareVersionParse("PuTTY_1.0"); @@ -268,7 +284,7 @@ int DetectSshSoftwareVersionTestParse01 (void) * \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse * the software version correctly */ -int DetectSshSoftwareVersionTestParse02 (void) +static int DetectSshSoftwareVersionTestParse02 (void) { DetectSshSoftwareVersionData *ssh = NULL; ssh = DetectSshSoftwareVersionParse("\"SecureCRT-4.0\""); @@ -284,7 +300,7 @@ int DetectSshSoftwareVersionTestParse02 (void) * \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we * don't return a ssh_data with an empty value specified */ -int DetectSshSoftwareVersionTestParse03 (void) +static int DetectSshSoftwareVersionTestParse03 (void) { DetectSshSoftwareVersionData *ssh = NULL; ssh = DetectSshSoftwareVersionParse(""); @@ -656,7 +672,7 @@ end: /** * \brief this function registers unit tests for DetectSshSoftwareVersion */ -void DetectSshSoftwareVersionRegisterTests(void) +static void DetectSshSoftwareVersionRegisterTests(void) { #ifdef UNITTESTS /* UNITTESTS */ UtRegisterTest("DetectSshSoftwareVersionTestParse01", diff --git a/src/detect-ssh-software-version.h b/src/detect-ssh-software-version.h index 70c37c745f..7cf3111677 100644 --- a/src/detect-ssh-software-version.h +++ b/src/detect-ssh-software-version.h @@ -31,7 +31,6 @@ typedef struct DetectSshSoftwareVersionData_ { /* prototypes */ void DetectSshSoftwareVersionRegister(void); -void DetectSshSoftwareVersionRegisterTests(void); #endif /* __DETECT_SSH_SOFTWARE_VERSION_H__ */ -- 2.47.2