From 3ed6dd558518c2de64c83c3936f8df88b6583392 Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Sat, 27 Dec 2014 17:19:43 -0600 Subject: [PATCH] A bit of code cleanup. --- src/analyzer/protocol/ssh/ssh-analyzer.pac | 55 ++++---- src/analyzer/protocol/ssh/ssh-protocol.pac | 157 +++++++++------------ 2 files changed, 99 insertions(+), 113 deletions(-) diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac index e4dd71bc39..da940fffed 100644 --- a/src/analyzer/protocol/ssh/ssh-analyzer.pac +++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac @@ -1,36 +1,49 @@ -# Generated by binpac_quickstart - refine flow SSH_Flow += { function proc_ssh_version(msg: SSH_Version): bool %{ if ( ssh_client_version && ${msg.is_orig } ) - BifEvent::generate_ssh_client_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.version})); - else if ( ssh_server_version ) - BifEvent::generate_ssh_server_version(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), bytestring_to_val(${msg.version})); + { + BifEvent::generate_ssh_client_version(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + bytestring_to_val(${msg.version})); + } + else if ( ssh_server_version ) + { + BifEvent::generate_ssh_server_version(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + bytestring_to_val(${msg.version})); + } return true; %} function proc_ssh_kexinit(msg: SSH_KEXINIT): bool %{ if ( ssh_server_capabilities ) - BifEvent::generate_ssh_server_capabilities(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - bytestring_to_val(${msg.kex_algorithms}), bytestring_to_val(${msg.server_host_key_algorithms}), - bytestring_to_val(${msg.encryption_algorithms_client_to_server}), - bytestring_to_val(${msg.encryption_algorithms_server_to_client}), - bytestring_to_val(${msg.mac_algorithms_client_to_server}), - bytestring_to_val(${msg.mac_algorithms_server_to_client}), - bytestring_to_val(${msg.compression_algorithms_client_to_server}), - bytestring_to_val(${msg.compression_algorithms_server_to_client}), - bytestring_to_val(${msg.languages_client_to_server}), - bytestring_to_val(${msg.languages_server_to_client})); + { + BifEvent::generate_ssh_server_capabilities(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + bytestring_to_val(${msg.kex_algorithms.val}), + bytestring_to_val(${msg.server_host_key_algorithms.val}), + bytestring_to_val(${msg.encryption_algorithms_client_to_server.val}), + bytestring_to_val(${msg.encryption_algorithms_server_to_client.val}), + bytestring_to_val(${msg.mac_algorithms_client_to_server.val}), + bytestring_to_val(${msg.mac_algorithms_server_to_client.val}), + bytestring_to_val(${msg.compression_algorithms_client_to_server.val}), + bytestring_to_val(${msg.compression_algorithms_server_to_client.val}), + bytestring_to_val(${msg.languages_client_to_server.val}), + bytestring_to_val(${msg.languages_server_to_client.val})); + } return true; %} function proc_ssh_server_host_key(key: bytestring): bool %{ if ( ssh_server_host_key ) - BifEvent::generate_ssh_server_host_key(connection()->bro_analyzer(), connection()->bro_analyzer()->Conn(), - bytestring_to_val(${key})); + { + BifEvent::generate_ssh_server_host_key(connection()->bro_analyzer(), + connection()->bro_analyzer()->Conn(), + bytestring_to_val(${key})); + } return true; %} @@ -40,12 +53,6 @@ refine flow SSH_Flow += { return true; %} - function debug(loc: uint8): bool - %{ - printf("DEBUG: %d", loc); - return true; - %} - }; refine typeattr SSH_Version += &let { @@ -61,5 +68,5 @@ refine typeattr SSH_DH_GEX_REPLY += &let { }; refine typeattr SSH_Message += &let { - proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == SSH_MSG_NEWKEYS); + proc_newkeys: bool = $context.flow.proc_newkeys() &if(msg_type == SSH2_MSG_NEWKEYS); }; \ No newline at end of file diff --git a/src/analyzer/protocol/ssh/ssh-protocol.pac b/src/analyzer/protocol/ssh/ssh-protocol.pac index 03f47fd67a..d14af0a663 100644 --- a/src/analyzer/protocol/ssh/ssh-protocol.pac +++ b/src/analyzer/protocol/ssh/ssh-protocol.pac @@ -5,43 +5,43 @@ enum state { }; enum message_id { - SSH_MSG_DISCONNECT = 1, - SSH_MSG_IGNORE = 2, - SSH_MSG_UNIMPLEMENTED = 3, - SSH_MSG_DEBUG = 4, - SSH_MSG_SERVICE_REQUEST = 5, - SSH_MSG_SERVICE_ACCEPT = 6, - SSH_MSG_KEXINIT = 20, - SSH_MSG_NEWKEYS = 21, - SSH_MSG_KEX_DH_GEX_REQUEST_OLD = 30, - SSH_MSG_KEX_DH_GEX_GROUP = 31, - SSH_MSG_KEX_DH_GEX_INIT = 32, - SSH_MSG_KEX_DH_GEX_REPLY = 33, - SSH_MSG_KEX_DH_GEX_REQUEST = 34, - SSH_MSG_USERAUTH_REQUEST = 50, - SSH_MSG_USERAUTH_FAILURE = 51, - SSH_MSG_USERAUTH_SUCCESS = 52, - SSH_MSG_USERAUTH_BANNER = 53, - SSH_MSG_GLOBAL_REQUEST = 80, - SSH_MSG_REQUEST_SUCCESS = 81, - SSH_MSG_REQUEST_FAILURE = 82, - SSH_MSG_CHANNEL_OPEN = 90, - SSH_MSG_CHANNEL_OPEN_CONFIRMATION = 91, - SSH_MSG_CHANNEL_OPEN_FAILURE = 92, - SSH_MSG_CHANNEL_WINDOW_ADJUST = 93, - SSH_MSG_CHANNEL_DATA = 94, - SSH_MSG_CHANNEL_EXTENDED_DATA = 95, - SSH_MSG_CHANNEL_EOF = 96, - SSH_MSG_CHANNEL_CLOSE = 97, - SSH_MSG_CHANNEL_REQUEST = 98, - SSH_MSG_CHANNEL_SUCCESS = 99, - SSH_MSG_CHANNEL_FAILURE = 100, + SSH2_MSG_DISCONNECT = 1, + SSH2_MSG_IGNORE = 2, + SSH2_MSG_UNIMPLEMENTED = 3, + SSH2_MSG_DEBUG = 4, + SSH2_MSG_SERVICE_REQUEST = 5, + SSH2_MSG_SERVICE_ACCEPT = 6, + SSH2_MSG_KEXINIT = 20, + SSH2_MSG_NEWKEYS = 21, + SSH2_MSG_KEX_DH_GEX_REQUEST_OLD = 30, + SSH2_MSG_KEX_DH_GEX_GROUP = 31, + SSH2_MSG_KEX_DH_GEX_INIT = 32, + SSH2_MSG_KEX_DH_GEX_REPLY = 33, + SSH2_MSG_KEX_DH_GEX_REQUEST = 34, + SSH2_MSG_USERAUTH_REQUEST = 50, + SSH2_MSG_USERAUTH_FAILURE = 51, + SSH2_MSG_USERAUTH_SUCCESS = 52, + SSH2_MSG_USERAUTH_BANNER = 53, + SSH2_MSG_GLOBAL_REQUEST = 80, + SSH2_MSG_REQUEST_SUCCESS = 81, + SSH2_MSG_REQUEST_FAILURE = 82, + SSH2_MSG_CHANNEL_OPEN = 90, + SSH2_MSG_CHANNEL_OPEN_CONFIRMATION = 91, + SSH2_MSG_CHANNEL_OPEN_FAILURE = 92, + SSH2_MSG_CHANNEL_WINDOW_ADJUST = 93, + SSH2_MSG_CHANNEL_DATA = 94, + SSH2_MSG_CHANNEL_EXTENDED_DATA = 95, + SSH2_MSG_CHANNEL_EOF = 96, + SSH2_MSG_CHANNEL_CLOSE = 97, + SSH2_MSG_CHANNEL_REQUEST = 98, + SSH2_MSG_CHANNEL_SUCCESS = 99, + SSH2_MSG_CHANNEL_FAILURE = 100, }; type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of { - VERSION_EXCHANGE -> version: SSH_Version(is_orig); - KEY_EXCHANGE_CLEARTEXT -> kex: SSH_Key_Exchange(is_orig); - ENCRYPTED -> ciphertext: bytestring &length=1 &transient; + VERSION_EXCHANGE -> version: SSH_Version(is_orig); + KEY_EXCHANGE_CLEARTEXT -> kex: SSH_Key_Exchange(is_orig); + ENCRYPTED -> ciphertext: bytestring &length=1 &transient; } &byteorder=bigendian; type SSH_Version(is_orig: bool) = record { @@ -51,7 +51,7 @@ type SSH_Version(is_orig: bool) = record { }; type SSH_Key_Exchange_Header(is_orig: bool) = record { - packet_length: uint32; + packet_length : uint32; padding_length: uint8; } &length=5; @@ -61,89 +61,68 @@ type SSH_Key_Exchange(is_orig: bool) = record { pad : bytestring &length=header.padding_length; }; -type SSH_Payload_Header(length: uint32) = record { +type SSH_Payload_Header = record { message_type: uint8; } &length=1; type SSH_Payload(is_orig: bool, packet_length: uint32) = record { - header: SSH_Payload_Header(packet_length); + header: SSH_Payload_Header; message: SSH_Message(is_orig, header.message_type, packet_length); }; type SSH_Message(is_orig: bool, msg_type: uint8, packet_length: uint32) = case msg_type of { - SSH_MSG_KEXINIT -> kexinit: SSH_KEXINIT(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_REQUEST -> dh_gex_request: SSH_DH_GEX_REQUEST(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_REQUEST_OLD -> dh_gex_request_old: SSH_DH_GEX_REQUEST_OLD(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_GROUP -> dh_gex_group: SSH_DH_GEX_GROUP(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_INIT -> dh_gex_init: SSH_DH_GEX_INIT(is_orig, packet_length); - SSH_MSG_KEX_DH_GEX_REPLY -> dh_gex_reply: SSH_DH_GEX_REPLY(is_orig, packet_length); - SSH_MSG_NEWKEYS -> new_keys: bytestring &length=packet_length; + SSH2_MSG_KEXINIT -> kexinit: SSH_KEXINIT(packet_length); + SSH2_MSG_KEX_DH_GEX_REQUEST -> dh_gex_request: SSH_DH_GEX_REQUEST(packet_length); + SSH2_MSG_KEX_DH_GEX_REQUEST_OLD -> dh_gex_request_old: SSH_DH_GEX_REQUEST_OLD(packet_length); + SSH2_MSG_KEX_DH_GEX_GROUP -> dh_gex_group: SSH_DH_GEX_GROUP(packet_length); + SSH2_MSG_KEX_DH_GEX_INIT -> dh_gex_init: SSH_DH_GEX_INIT(packet_length); + SSH2_MSG_KEX_DH_GEX_REPLY -> dh_gex_reply: SSH_DH_GEX_REPLY(packet_length); + SSH2_MSG_NEWKEYS -> new_keys: bytestring &length=packet_length; } &let { - detach: bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == SSH_MSG_NEWKEYS); + detach: bool = $context.connection.update_state(ENCRYPTED, is_orig) &if(msg_type == SSH2_MSG_NEWKEYS); }; -type SSH_KEXINIT(is_orig: bool, length: uint32) = record { - cookie : bytestring &length=16; - kex_algorithms_len : uint32; - kex_algorithms : bytestring &length=kex_algorithms_len; - server_host_key_algorithms_len : uint32; - server_host_key_algorithms : bytestring &length=server_host_key_algorithms_len; - encryption_algorithms_client_to_server_len : uint32; - encryption_algorithms_client_to_server : bytestring &length=encryption_algorithms_client_to_server_len; - encryption_algorithms_server_to_client_len : uint32; - encryption_algorithms_server_to_client : bytestring &length=encryption_algorithms_server_to_client_len; - mac_algorithms_client_to_server_len : uint32; - mac_algorithms_client_to_server : bytestring &length=mac_algorithms_client_to_server_len; - mac_algorithms_server_to_client_len : uint32; - mac_algorithms_server_to_client : bytestring &length=mac_algorithms_server_to_client_len; - compression_algorithms_client_to_server_len : uint32; - compression_algorithms_client_to_server : bytestring &length=compression_algorithms_client_to_server_len; - compression_algorithms_server_to_client_len : uint32; - compression_algorithms_server_to_client : bytestring &length=compression_algorithms_server_to_client_len; - languages_client_to_server_len : uint32; - languages_client_to_server : bytestring &length=languages_client_to_server_len; - languages_server_to_client_len : uint32; - languages_server_to_client : bytestring &length=languages_server_to_client_len; - first_kex_packet_follows : uint8; - reserved : uint32; +type SSH_KEXINIT(length: uint32) = record { + cookie : bytestring &length=16; + kex_algorithms : ssh_string; + server_host_key_algorithms : ssh_string; + encryption_algorithms_client_to_server : ssh_string; + encryption_algorithms_server_to_client : ssh_string; + mac_algorithms_client_to_server : ssh_string; + mac_algorithms_server_to_client : ssh_string; + compression_algorithms_client_to_server : ssh_string; + compression_algorithms_server_to_client : ssh_string; + languages_client_to_server : ssh_string; + languages_server_to_client : ssh_string; + first_kex_packet_follows : uint8; + reserved : uint32; } &length=length; -type SSH_DH_GEX_REQUEST(is_orig: bool, length: uint32) = record { +type SSH_DH_GEX_REQUEST(length: uint32) = record { min: uint32; n : uint32; max: uint32; } &length=12; -type SSH_DH_GEX_REQUEST_OLD(is_orig: bool, length: uint32) = record { +type SSH_DH_GEX_REQUEST_OLD(length: uint32) = record { payload: bytestring &length=length; } &length=length; -type SSH_DH_GEX_GROUP(is_orig: bool, length: uint32) = record { - p: mpint; - g: mpint; +type SSH_DH_GEX_GROUP(length: uint32) = record { + p: ssh_string; + g: ssh_string; } &length=length; -type SSH_DH_GEX_INIT(is_orig: bool, length: uint32) = record { - e: mpint; +type SSH_DH_GEX_INIT(length: uint32) = record { + e: ssh_string; } &length=length; -type SSH_DH_GEX_REPLY(is_orig: bool, length: uint32) = record { +type SSH_DH_GEX_REPLY(length: uint32) = record { k_s : ssh_string; - f : mpint; + f : ssh_string; signature: ssh_string; } &length=length; -#type SSH_NEWKEYS(is_orig: bool, length: uint32) = record { -# blah: ; -#} &let { -# detach: bool = $context.connection.detach(); -#} &length=0; - -type mpint = record { - len: uint32; - val: bytestring &length=len; -}; - type ssh_string = record { len: uint32; val: bytestring &length=len;