From: Hui Cao (huica) Date: Mon, 13 Aug 2018 13:40:42 +0000 (-0400) Subject: Merge pull request #1327 in SNORT/snort3 from ssh_test_version1 to master X-Git-Tag: 3.0.0-246~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7c2df90e792fcc2a6ba63f3eae725b5e363ce152;p=thirdparty%2Fsnort3.git Merge pull request #1327 in SNORT/snort3 from ssh_test_version1 to master Squashed commit of the following: commit 61ee94ef5c6198f40a51f23fb81ea35cda9253c2 Author: bokidi Date: Tue Aug 7 15:29:24 2018 -0400 ssh: added test code --- diff --git a/src/service_inspectors/ssh/ssh.cc b/src/service_inspectors/ssh/ssh.cc index 7df875080..e6e1a8c14 100644 --- a/src/service_inspectors/ssh/ssh.cc +++ b/src/service_inspectors/ssh/ssh.cc @@ -318,7 +318,6 @@ static unsigned int ProcessSSHProtocolVersionExchange(SSH_PROTO_CONF* config, SS Packet* p, uint8_t direction) { const char* version_stringp = (const char*)p->data; - uint8_t version; const char* version_end; /* Get the version. */ @@ -329,11 +328,11 @@ static unsigned int ProcessSSHProtocolVersionExchange(SSH_PROTO_CONF* config, SS && (version_stringp[7] == '9')) { /* SSH 1.99 which is the same as SSH2.0 */ - version = SSH_VERSION_2; + sessionp->version = SSH_VERSION_2; } else { - version = SSH_VERSION_1; + sessionp->version = SSH_VERSION_1; } /* CAN-2002-0159 */ @@ -354,10 +353,15 @@ static unsigned int ProcessSSHProtocolVersionExchange(SSH_PROTO_CONF* config, SS else if ( p->dsize >= 6 && !strncasecmp(version_stringp, "SSH-2.", 6)) { - version = SSH_VERSION_2; + sessionp->version = SSH_VERSION_2; } else { + /* unknown version */ + sessionp->version = SSH_VERSION_UNKNOWN; + + DetectionEngine::queue_event(GID_SSH, SSH_EVENT_VERSION); + return 0; } @@ -374,7 +378,6 @@ static unsigned int ProcessSSHProtocolVersionExchange(SSH_PROTO_CONF* config, SS break; } - sessionp->version = version; version_end = (char*)memchr(version_stringp, '\n', p->dsize); if (version_end) return ((version_end - version_stringp) + 1); @@ -545,11 +548,6 @@ static unsigned int ProcessSSHKeyInitExchange(SSHData* sessionp, Packet* p, } else { - { - /* Unrecognized version. */ - DetectionEngine::queue_event(GID_SSH, SSH_EVENT_VERSION); - } - return 0; } diff --git a/src/service_inspectors/ssh/ssh.h b/src/service_inspectors/ssh/ssh.h index ffd80aa92..b9dcf443c 100644 --- a/src/service_inspectors/ssh/ssh.h +++ b/src/service_inspectors/ssh/ssh.h @@ -32,30 +32,6 @@ #include "flow/flow.h" -// Per-session data block containing current state -// of the SSH preprocessor for the session. -struct SSHData -{ - uint8_t version; // Version of SSH detected for this session - uint16_t num_enc_pkts; // encrypted packets seen on this session - uint16_t num_client_bytes; // bytes of encrypted data sent by client without a server response - uint32_t state_flags; // Bit vector describing the current state of the session -}; - -class SshFlowData : public snort::FlowData -{ -public: - SshFlowData(); - ~SshFlowData() override; - - static void init() - { inspector_id = snort::FlowData::create_flow_data_id(); } - -public: - static unsigned inspector_id; - SSHData session; -}; - // FIXIT-L move these to ssh.cc // Session state flags for SSHData::state_flags #define SSH_FLG_CLEAR (0x0) @@ -109,6 +85,30 @@ public: #define SSH_VERSION_1 (0x1) #define SSH_VERSION_2 (0x2) +// Per-session data block containing current state +// of the SSH preprocessor for the session. +struct SSHData +{ + uint8_t version = SSH_VERSION_UNKNOWN; // Version of SSH detected for this session + uint16_t num_enc_pkts; // encrypted packets seen on this session + uint16_t num_client_bytes; // bytes of encrypted data sent by client without a server response + uint32_t state_flags; // Bit vector describing the current state of the session +}; + +class SshFlowData : public snort::FlowData +{ +public: + SshFlowData(); + ~SshFlowData() override; + + static void init() + { inspector_id = snort::FlowData::create_flow_data_id(); } + +public: + static unsigned inspector_id; + SSHData session; +}; + // Length of SSH2 header, in bytes. #define SSH2_HEADERLEN (5) #define SSH2_PACKET_MAX_SIZE (256 * 1024)