From ceba8c89e93b8b130e81ea5fbeb75cbd3ec60ff1 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sun, 7 Apr 2019 08:35:44 -0700
Subject: [PATCH] sticky: Convert ssh_proto to new format

This changest converts the 'ssh_proto' sticky buffer
into the v2 framework.
---
 src/detect-ssh-proto.c | 166 ++++++++++++-----------------------------
 1 file changed, 46 insertions(+), 120 deletions(-)

diff --git a/src/detect-ssh-proto.c b/src/detect-ssh-proto.c
index b9022ecfa8..61c10656fa 100644
--- a/src/detect-ssh-proto.c
+++ b/src/detect-ssh-proto.c
@@ -47,159 +47,85 @@
 #include "app-layer-ssh.h"
 #include "detect-ssh-proto.h"
 
-#define KEYWORD_NAME "ssh_proto"
+#define KEYWORD_NAME "ssh.proto"
+#define KEYWORD_NAME_LEGACY "ssh_proto"
 #define KEYWORD_DOC "ssh-keywords.html#ssh-proto"
 #define BUFFER_NAME "ssh_protocol"
 #define BUFFER_DESC "ssh protocol field"
 static int g_buffer_id = 0;
 
-/** \brief SSH Protocol Mpm prefilter callback
- *
- *  \param det_ctx detection engine thread ctx
- *  \param p packet to inspect
- *  \param f flow to inspect
- *  \param txv tx to inspect
- *  \param pectx inspection context
- */
-static void PrefilterTxSshRequestProtocol(DetectEngineThreadCtx *det_ctx,
-        const void *pectx,
-        Packet *p, Flow *f, void *txv,
-        const uint64_t idx, const uint8_t flags)
+static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
+        const DetectEngineTransforms *transforms, Flow *_f,
+        const uint8_t flow_flags, void *txv, const int list_id)
 {
     SCEnter();
 
-    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
-    const SshState *ssh_state = txv;
-
-    if (ssh_state->cli_hdr.proto_version == NULL)
-        return;
-
-    uint32_t buffer_len = strlen((char *)ssh_state->cli_hdr.proto_version);
-    const uint8_t *buffer = ssh_state->cli_hdr.proto_version;
-
-    if (buffer_len >= mpm_ctx->minlen) {
-        (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
-                &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
-    }
-}
+    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
 
-static int PrefilterTxSshRequestProtocolRegister(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, MpmCtx *mpm_ctx)
-{
-    SCEnter();
-
-    int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxSshRequestProtocol,
-        ALPROTO_SSH, SSH_STATE_BANNER_DONE,
-        mpm_ctx, NULL, KEYWORD_NAME " (request)");
-    return r;
-}
-
-/** \brief SSH Protocol Mpm prefilter callback
- *
- *  \param det_ctx detection engine thread ctx
- *  \param p packet to inspect
- *  \param f flow to inspect
- *  \param txv tx to inspect
- *  \param pectx inspection context
- */
-static void PrefilterTxSshResponseProtocol(DetectEngineThreadCtx *det_ctx,
-        const void *pectx,
-        Packet *p, Flow *f, void *txv,
-        const uint64_t idx, const uint8_t flags)
-{
-    SCEnter();
+    if (buffer->inspect == NULL) {
+        uint8_t *protocol = NULL;
+        SshState *ssh_state = (SshState *) txv;
 
-    const MpmCtx *mpm_ctx = (MpmCtx *)pectx;
-    const SshState *ssh_state = txv;
+        if (flow_flags & STREAM_TOSERVER)
+            protocol = ssh_state->cli_hdr.proto_version;
+        else if (flow_flags & STREAM_TOCLIENT)
+            protocol = ssh_state->srv_hdr.proto_version;
 
-    if (ssh_state->srv_hdr.proto_version == NULL)
-        return;
+        if (protocol == NULL) {
+            SCLogDebug("SSL protocol not set");
+            return NULL;
+        }
 
-    uint32_t buffer_len = strlen((char *)ssh_state->srv_hdr.proto_version);
-    const uint8_t *buffer = ssh_state->srv_hdr.proto_version;
+        uint32_t data_len = strlen((char *)protocol);
+        uint8_t *data = protocol;
+        if (data == NULL || data_len == 0) {
+            SCLogDebug("SSL protocol not present");
+            return NULL;
+        }
 
-    if (buffer_len >= mpm_ctx->minlen) {
-        (void)mpm_table[mpm_ctx->mpm_type].Search(mpm_ctx,
-                &det_ctx->mtcu, &det_ctx->pmq, buffer, buffer_len);
+        InspectionBufferSetup(buffer, data, data_len);
+        InspectionBufferApplyTransforms(buffer, transforms);
     }
-}
-
-static int PrefilterTxSshResponseProtocolRegister(DetectEngineCtx *de_ctx,
-        SigGroupHead *sgh, MpmCtx *mpm_ctx)
-{
-    SCEnter();
 
-    int r = PrefilterAppendTxEngine(de_ctx, sgh, PrefilterTxSshResponseProtocol,
-        ALPROTO_SSH, SSH_STATE_BANNER_DONE,
-        mpm_ctx, NULL, KEYWORD_NAME " (response)");
-    return r;
-}
-
-static int InspectEngineSshProtocol(ThreadVars *tv,
-        DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx,
-        const Signature *s, const SigMatchData *smd,
-        Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id)
-{
-    uint8_t *protocol = NULL;
-    SshState *ssh_state = alstate;
-
-    if (flags & STREAM_TOSERVER)
-        protocol = ssh_state->cli_hdr.proto_version;
-    else if (flags & STREAM_TOCLIENT)
-        protocol = ssh_state->srv_hdr.proto_version;
-    if (protocol == NULL)
-        goto end;
-
-    uint32_t buffer_len = strlen((char *)protocol);
-    uint8_t *buffer = protocol;
-    if (buffer == NULL ||buffer_len == 0)
-        goto end;
-
-    det_ctx->buffer_offset = 0;
-    det_ctx->discontinue_matching = 0;
-    det_ctx->inspection_recursion_counter = 0;
-    int r = DetectEngineContentInspection(de_ctx, det_ctx, s, smd,
-                                          f,
-                                          buffer, buffer_len,
-                                          0, DETECT_CI_FLAGS_SINGLE,
-                                          DETECT_ENGINE_CONTENT_INSPECTION_MODE_STATE, NULL);
-    if (r == 1)
-        return DETECT_ENGINE_INSPECT_SIG_MATCH;
-
- end:
-    if (AppLayerParserGetStateProgress(IPPROTO_TCP, ALPROTO_SSH, tx, flags) >= SSH_STATE_BANNER_DONE)
-        return DETECT_ENGINE_INSPECT_SIG_CANT_MATCH;
-    return DETECT_ENGINE_INSPECT_SIG_NO_MATCH;
+    return buffer;
 }
 
 static int DetectSshProtocolSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
 {
-    s->init_data->list = g_buffer_id;
+    if (DetectBufferSetActiveList(s, g_buffer_id) < 0)
+        return -1;
+
+    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
+        return -1;
+
     return 0;
 }
 
 void DetectSshProtocolRegister(void)
 {
     sigmatch_table[DETECT_AL_SSH_PROTOCOL].name = KEYWORD_NAME;
+    sigmatch_table[DETECT_AL_SSH_PROTOCOL].alias = KEYWORD_NAME_LEGACY;
     sigmatch_table[DETECT_AL_SSH_PROTOCOL].desc = BUFFER_NAME " sticky buffer";
     sigmatch_table[DETECT_AL_SSH_PROTOCOL].url = DOC_URL DOC_VERSION "/rules/" KEYWORD_DOC;
     sigmatch_table[DETECT_AL_SSH_PROTOCOL].Setup = DetectSshProtocolSetup;
-    sigmatch_table[DETECT_AL_SSH_PROTOCOL].flags |= SIGMATCH_NOOPT ;
+    sigmatch_table[DETECT_AL_SSH_PROTOCOL].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
+
 
-    DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
-            PrefilterTxSshRequestProtocolRegister);
-    DetectAppLayerMpmRegister(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
-            PrefilterTxSshResponseProtocolRegister);
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOSERVER, 2,
+            PrefilterGenericMpmRegister, GetSshData,
+			ALPROTO_SSH, SSH_STATE_BANNER_DONE),
+    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2,
+            PrefilterGenericMpmRegister, GetSshData,
+			ALPROTO_SSH, SSH_STATE_BANNER_DONE),
 
-    DetectAppLayerInspectEngineRegister(BUFFER_NAME,
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
             ALPROTO_SSH, SIG_FLAG_TOSERVER, SSH_STATE_BANNER_DONE,
-            InspectEngineSshProtocol);
-    DetectAppLayerInspectEngineRegister(BUFFER_NAME,
+            DetectEngineInspectBufferGeneric, GetSshData);
+    DetectAppLayerInspectEngineRegister2(BUFFER_NAME,
             ALPROTO_SSH, SIG_FLAG_TOCLIENT, SSH_STATE_BANNER_DONE,
-            InspectEngineSshProtocol);
+            DetectEngineInspectBufferGeneric, GetSshData);
 
-    DetectBufferTypeSetDescriptionByName(BUFFER_NAME,
-            BUFFER_DESC);
+    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
 
     g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
 }
-- 
2.47.2