Coverage Report

Created: 2026-06-30 07:20

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/suricata7/src/detect-ssh-hassh-server.c
Line
Count
Source
1
/* Copyright (C) 2007-2020 Open Information Security Foundation
2
 *
3
 * You can copy, redistribute or modify this Program under the terms of
4
 * the GNU General Public License version 2 as published by the Free
5
 * Software Foundation.
6
 *
7
 * This program is distributed in the hope that it will be useful,
8
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
10
 * GNU General Public License for more details.
11
 *
12
 * You should have received a copy of the GNU General Public License
13
 * version 2 along with this program; if not, write to the Free Software
14
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
 * 02110-1301, USA.
16
 */
17
18
/**
19
 * \file
20
 *
21
 * \author Vadym Malakhatko <v.malakhatko@sirinsoftware.com>
22
 */
23
24
#include "suricata-common.h"
25
#include "threads.h"
26
#include "decode.h"
27
28
#include "detect.h"
29
#include "detect-parse.h"
30
#include "detect-content.h"
31
32
#include "detect-engine.h"
33
#include "detect-engine-mpm.h"
34
#include "detect-engine-state.h"
35
#include "detect-engine-prefilter.h"
36
37
#include "flow.h"
38
#include "flow-var.h"
39
#include "flow-util.h"
40
#include "stream-tcp.h"
41
#include "util-debug.h"
42
#include "util-unittest.h"
43
#include "util-unittest-helper.h"
44
45
#include "app-layer.h"
46
#include "app-layer-parser.h"
47
#include "app-layer-ssh.h"
48
#include "detect-ssh-hassh-server.h"
49
#include "rust.h"
50
51
52
34
#define KEYWORD_NAME "ssh.hassh.server"
53
34
#define KEYWORD_ALIAS "ssh-hassh-server"
54
34
#define KEYWORD_DOC "ssh-keywords.html#ssh.hassh.server"
55
238
#define BUFFER_NAME "ssh.hassh.server"
56
34
#define BUFFER_DESC "Ssh Client Fingerprinting For Ssh Servers"
57
static int g_ssh_hassh_buffer_id = 0;
58
59
60
static InspectionBuffer *GetSshData(DetectEngineThreadCtx *det_ctx,
61
        const DetectEngineTransforms *transforms, Flow *_f,
62
        const uint8_t flow_flags, void *txv, const int list_id)
63
14
{
64
    
65
14
    SCEnter();
66
67
14
    InspectionBuffer *buffer = InspectionBufferGet(det_ctx, list_id);
68
69
14
    if (buffer->inspect == NULL) {
70
13
        const uint8_t *hasshServer = NULL;
71
13
        uint32_t b_len = 0;
72
73
13
        if (rs_ssh_tx_get_hassh(txv, &hasshServer, &b_len, flow_flags) != 1)
74
9
            return NULL;
75
4
        if (hasshServer == NULL || b_len == 0) {
76
0
            SCLogDebug("SSH hassh not set");
77
0
            return NULL;
78
0
        }
79
80
4
        InspectionBufferSetup(det_ctx, list_id, buffer, hasshServer, b_len);
81
4
        InspectionBufferApplyTransforms(buffer, transforms);
82
4
    }
83
84
5
    return buffer;
85
14
}
86
87
/**
88
 * \brief this function setup the ssh.hassh.server modifier keyword used in the rule
89
 *
90
 * \param de_ctx Pointer to the Detection Engine Context
91
 * \param s      Pointer to the Signature to which the current keyword belongs
92
 * \param str    Should hold an empty string always
93
 *
94
 * \retval 0  On success
95
 * \retval -1 On failure
96
 * \retval -2 on failure that should be silent after the first
97
 */
98
static int DetectSshHasshServerSetup(DetectEngineCtx *de_ctx, Signature *s, const char *arg)
99
3.88k
{
100
3.88k
    if (DetectBufferSetActiveList(de_ctx, s, g_ssh_hassh_buffer_id) < 0)
101
264
        return -1;
102
103
3.61k
    if (DetectSignatureSetAppProto(s, ALPROTO_SSH) < 0)
104
100
        return -1;
105
            
106
    /* try to enable Hassh */
107
3.51k
    rs_ssh_enable_hassh();
108
109
    /* Check if Hassh is disabled */
110
3.51k
    if (!RunmodeIsUnittests() && !rs_ssh_hassh_is_enabled()) {
111
0
        if (!SigMatchSilentErrorEnabled(de_ctx, DETECT_AL_SSH_HASSH_SERVER)) {
112
0
            SCLogError("hassh support is not enabled");
113
0
        }
114
0
        return -2;
115
0
    }
116
117
3.51k
    return 0;
118
119
3.51k
}
120
121
static bool DetectSshHasshServerHashValidateCallback(const Signature *s, const char **sigerror)
122
1.78k
{
123
3.21k
    for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
124
2.91k
        if (s->init_data->buffers[x].id != (uint32_t)g_ssh_hassh_buffer_id)
125
1.12k
            continue;
126
1.78k
        const SigMatch *sm = s->init_data->buffers[x].head;
127
3.62k
        for (; sm != NULL; sm = sm->next) {
128
3.33k
            if (sm->type != DETECT_CONTENT)
129
1.28k
                continue;
130
131
2.04k
            const DetectContentData *cd = (DetectContentData *)sm->ctx;
132
133
2.04k
            if (cd->flags & DETECT_CONTENT_NOCASE) {
134
0
                *sigerror = "ssh.hassh.server should not be used together with "
135
0
                            "nocase, since the rule is automatically "
136
0
                            "lowercased anyway which makes nocase redundant.";
137
0
                SCLogWarning("rule %u: %s", s->id, *sigerror);
138
0
            }
139
140
2.04k
            if (cd->content_len != 32) {
141
1.31k
                *sigerror = "Invalid length of the specified ssh.hassh.server (should "
142
1.31k
                            "be 32 characters long). This rule will therefore "
143
1.31k
                            "never match.";
144
1.31k
                SCLogWarning("rule %u: %s", s->id, *sigerror);
145
1.31k
                return false;
146
1.31k
            }
147
18.8k
            for (size_t i = 0; i < cd->content_len; ++i) {
148
18.3k
                if (!isxdigit(cd->content[i])) {
149
175
                    *sigerror = "Invalid ssh.hassh.server string (should be string of hexadecimal "
150
175
                                "characters)."
151
175
                                "This rule will therefore never match.";
152
175
                    SCLogWarning("rule %u: %s", s->id, *sigerror);
153
175
                    return false;
154
175
                }
155
18.3k
            }
156
731
        }
157
1.78k
    }
158
297
    return true;
159
1.78k
}
160
161
static void DetectSshHasshServerHashSetupCallback(const DetectEngineCtx *de_ctx,
162
                                          Signature *s)
163
1.99k
{
164
6.30k
    for (uint32_t x = 0; x < s->init_data->buffer_index; x++) {
165
4.30k
        if (s->init_data->buffers[x].id != (uint32_t)g_ssh_hassh_buffer_id)
166
2.31k
            continue;
167
1.99k
        SigMatch *sm = s->init_data->buffers[x].head;
168
7.14k
        for (; sm != NULL; sm = sm->next) {
169
5.15k
            if (sm->type != DETECT_CONTENT)
170
2.56k
                continue;
171
172
2.59k
            DetectContentData *cd = (DetectContentData *)sm->ctx;
173
174
2.59k
            uint32_t u;
175
145k
            for (u = 0; u < cd->content_len; u++) {
176
142k
                if (isupper(cd->content[u])) {
177
18.5k
                    cd->content[u] = u8_tolower(cd->content[u]);
178
18.5k
                }
179
142k
            }
180
181
2.59k
            SpmDestroyCtx(cd->spm_ctx);
182
2.59k
            cd->spm_ctx =
183
2.59k
                    SpmInitCtx(cd->content, cd->content_len, 1, de_ctx->spm_global_thread_ctx);
184
2.59k
        }
185
1.99k
    }
186
1.99k
}
187
188
/**
189
 * \brief Registration function for hasshServer keyword.
190
 */
191
void DetectSshHasshServerRegister(void) 
192
34
{
193
34
    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].name = KEYWORD_NAME;
194
34
    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].alias = KEYWORD_ALIAS;
195
34
    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].desc = BUFFER_NAME " sticky buffer";
196
34
    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].url = "/rules/" KEYWORD_DOC;
197
34
    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].Setup = DetectSshHasshServerSetup;
198
34
    sigmatch_table[DETECT_AL_SSH_HASSH_SERVER].flags |= SIGMATCH_INFO_STICKY_BUFFER | SIGMATCH_NOOPT;
199
200
34
    DetectAppLayerMpmRegister2(BUFFER_NAME, SIG_FLAG_TOCLIENT, 2, 
201
34
            PrefilterGenericMpmRegister, GetSshData, 
202
34
            ALPROTO_SSH, SshStateBannerDone);
203
34
    DetectAppLayerInspectEngineRegister2(BUFFER_NAME, ALPROTO_SSH, 
204
34
            SIG_FLAG_TOCLIENT, SshStateBannerDone, 
205
34
            DetectEngineInspectBufferGeneric, GetSshData);
206
34
    DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
207
208
34
    g_ssh_hassh_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
209
210
34
    DetectBufferTypeRegisterSetupCallback(BUFFER_NAME, DetectSshHasshServerHashSetupCallback);
211
34
    DetectBufferTypeRegisterValidateCallback(BUFFER_NAME, DetectSshHasshServerHashValidateCallback);
212
34
}