[SSH] Handle SSH version 1.99

SSH can set in its identification a version 1.99 (SSH-1.99-xxx). That means the client/server is compatible with SSHv1 and SSHv2. So the version choice depends of the both side. 1.99 : 1.99 => 2.0 1.99 : 1.x => 1.x 1.99 : 2.0 => 2.O (see "Compatibility With Old SSH Versions" in RFC 4253)
2025-10-02 14:48:21 +00:00 · 2020-11-11 16:30:51 +01:00 · 2020-11-11 16:30:51 +01:00 · 3769ed6c66
commit 3769ed6c66
parent 93469d811d
6 changed files with 125 additions and 8 deletions
--- a/src/analyzer/protocol/ssh/consts.pac
+++ b/src/analyzer/protocol/ssh/consts.pac
@ -2,6 +2,7 @@ enum version {
 	SSH1 = 1,
 	SSH2 = 2,
 	UNK  = 3,
+	SSH199 = 4,
 };

 enum state {
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@ -275,6 +275,8 @@ refine connection SSH_Conn += {
 		int state_up_;
 		int state_down_;
 		int version_;
+		int version_client_;
+		int version_server_;
 		int encrypted_bytes_in_current_segment_;

 		bool kex_orig_;
@ -287,6 +289,8 @@ refine connection SSH_Conn += {
 		state_up_   = VERSION_EXCHANGE;
 		state_down_ = VERSION_EXCHANGE;
 		version_    = UNK;
+		version_client_    = UNK;
+		version_server_    = UNK;
 		encrypted_bytes_in_current_segment_ = 0;

 		kex_seen_ = false;
@ -343,15 +347,67 @@ refine connection SSH_Conn += {
 		return version_;
 		%}

+	# If the version is 1.99, that means the client/server is compatible
+	# with sshv1 and sshv2. So one says version 2 and the other 1.99
+	# the connection will be in version 2 otherwise if its version 1.x and
+	# 1.99 the connection be in version 1. See RFC 4253 chapter 5.
 	function update_version(v: bytestring, is_orig: bool) : bool
 		%{
-		if ( is_orig && ( v.length() >= 4 ) )
+		if ( v.length() >= 5 )
 			{
 			if ( v[4] == '2' )
-				version_ = SSH2;
+				{
+				if ( is_orig )
+					version_client_ = SSH2;
+				else
+					version_server_ = SSH2;
+				}
 			if ( v[4] == '1' )
-				version_ = SSH1;
+				{
+				if ( v.length() >= 8 && v[6] == '9' && v[7] == '9' )
+					{
+					if ( is_orig )
+						version_client_ = SSH199;
+					else
+						version_server_ = SSH199;
+					}
+				else
+					{
+					if ( is_orig)
+						version_client_ = SSH1;
+					else
+						version_server_ = SSH1;
+					}
+				}
 			}
+
+			if ( version_server_ == version_client_ )
+                {
+                // SSH199 vs SSH199 -> 2
+                if (version_server_ == SSH199 )
+				    version_ = SSH2;
+                else
+				    version_ = version_server_;
+                }
+			// SSH1 vs SSH2 -> Undefined
+			else if ( version_client_ == SSH1 && version_server_ == SSH2 )
+				version_ = UNK;
+			// SSH2 vs SSH1 -> Undefined
+			else if ( version_client_ == SSH2 && version_server_ == SSH1 )
+				version_ = UNK;
+			// SSH199 vs SSH2 -> 2
+			else if ( version_client_ == SSH199 && version_server_ == SSH2 )
+				version_ = version_server_;
+			// SSH2 vs SSH199 -> 2
+			else if ( version_client_ == SSH2 && version_server_ == SSH199 )
+				version_ = version_client_;
+			// SSH1 vs SSH199 -> 1
+			else if ( version_client_ == SSH1 && version_server_ == SSH199 )
+				version_ = version_client_;
+			// SSH199 vs SSH1 -> 1
+			else if ( version_client_ == SSH199 && version_server_ == SSH1 )
+				version_ = version_server_;
+
 		return true;
 		%}