Rename analyzer/protocols -> analyzer/protocol

src/analyzer/protocol/ssh/CMakeLists.txt

@@ -0,0 +1,9 @@
+
+include(BroPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+bro_plugin_begin(SSH)
+bro_plugin_cc(SSH.cc Plugin.cc)
+bro_plugin_bif(events.bif)
+bro_plugin_end()

src/analyzer/protocol/ssh/Plugin.cc

@@ -0,0 +1,10 @@
+
+#include "plugin/Plugin.h"
+
+#include "SSH.h"
+
+BRO_PLUGIN_BEGIN(SSH)
+	BRO_PLUGIN_DESCRIPTION("SSH Analyzer");
+	BRO_PLUGIN_ANALYZER("SSH", ssh::SSH_Analyzer);
+	BRO_PLUGIN_BIF_FILE(events);
+BRO_PLUGIN_END

src/analyzer/protocol/ssh/SSH.cc

@@ -0,0 +1,105 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "config.h"
+
+#include <ctype.h>
+
+#include "NetVar.h"
+#include "SSH.h"
+#include "Event.h"
+#include "analyzer/protocol/tcp/ContentLine.h"
+
+#include "events.bif.h"
+
+using namespace analyzer::ssh;
+
+SSH_Analyzer::SSH_Analyzer(Connection* c)
+: tcp::TCP_ApplicationAnalyzer("SSH", c)
+	{
+	orig = new tcp::ContentLine_Analyzer(c, true);
+	orig->SetSkipPartial(true);
+	orig->SetCRLFAsEOL(LF_as_EOL);
+	AddSupportAnalyzer(orig);
+
+	resp = new tcp::ContentLine_Analyzer(c, false);
+	resp->SetSkipPartial(true);
+	resp->SetCRLFAsEOL(LF_as_EOL);
+	AddSupportAnalyzer(resp);
+	}
+
+void SSH_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
+	{
+	tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, is_orig);
+
+	// We're all done processing this endpoint - flag it as such,
+	// before we even determine whether we have any event generation
+	// work to do, to make sure we don't do any further work on it.
+	if ( is_orig )
+		orig->SetSkipDeliveries(true);
+	else
+		resp->SetSkipDeliveries(true);
+
+	if ( TCP() )
+		{
+		// Don't try to parse version if there has already been a gap.
+		tcp::TCP_Endpoint* endp = is_orig ? TCP()->Orig() : TCP()->Resp();
+		if ( endp->HadGap() )
+			return;
+		}
+
+	const char* line = (const char*) data;
+
+	// The SSH identification looks like this:
+	//
+	//     SSH-<protocolmajor>.<protocolminor>-<version>\n
+	//
+	// We're interested in the "version" part here.
+
+	if ( length < 4 || memcmp(line, "SSH-", 4) != 0 )
+		{
+		Weird("malformed_ssh_identification");
+		ProtocolViolation("malformed ssh identification", line, length);
+		return;
+		}
+
+	int i;
+	for ( i = 4; i < length && line[i] != '-'; ++i )
+		;
+
+	if ( TCP() )
+		{
+		if ( length >= i )
+			{
+			IPAddr dst;
+
+			if ( is_orig )
+				dst = TCP()->Orig()->dst_addr;
+			else
+				dst = TCP()->Resp()->dst_addr;
+
+			if ( Conn()->VersionFoundEvent(dst, line + i,
+							length - i) )
+				ProtocolConfirmation();
+			else
+				ProtocolViolation("malformed ssh version",
+							line, length);
+			}
+		else
+			{
+			Weird("malformed_ssh_version");
+			ProtocolViolation("malformed ssh version", line, length);
+			}
+		}
+
+	// Generate SSH events.
+	EventHandlerPtr event = is_orig ?
+				ssh_client_version : ssh_server_version;
+	if ( ! event )
+		return;
+
+	val_list* vl = new val_list;
+	vl->append(BuildConnVal());
+	vl->append(new StringVal(length, line));
+
+	ConnectionEvent(event, vl);
+	}

src/analyzer/protocol/ssh/SSH.h

@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#ifndef ANALYZER_PROTOCOL_SSH_SSH_H
+#define ANALYZER_PROTOCOL_SSH_SSH_H
+
+#include "analyzer/protocol/tcp/TCP.h"
+#include "analyzer/protocol/tcp/ContentLine.h"
+
+namespace analyzer { namespace ssh {
+
+class SSH_Analyzer : public tcp::TCP_ApplicationAnalyzer {
+public:
+	SSH_Analyzer(Connection* conn);
+
+	virtual void DeliverStream(int len, const u_char* data, bool orig);
+
+	static analyzer::Analyzer* InstantiateAnalyzer(Connection* conn)
+		{ return new SSH_Analyzer(conn); }
+
+private:
+	tcp::ContentLine_Analyzer* orig;
+	tcp::ContentLine_Analyzer* resp;
+};
+
+} } // namespace analyzer::* 
+
+#endif

src/analyzer/protocol/ssh/events.bif

@@ -0,0 +1,38 @@
+## Generated when seeing an SSH client's version identification. The SSH
+## protocol starts with a clear-text handshake message that reports client and
+## server protocol/software versions. This event provides access to what the
+## client sent.
+##
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Secure_Shell>`__ for more
+## information about the SSH protocol.
+##
+## c: The connection.
+##
+## version: The version string the client sent (e.g., `SSH-2.0-libssh-0.11`).
+##
+## .. bro:see:: ssh_server_version
+##
+## .. note:: As everything after the initial version handshake proceeds
+##    encrypted, Bro cannot further analyze SSH sessions.
+event ssh_client_version%(c: connection, version: string%);
+
+## Generated when seeing an SSH server's version identification. The SSH
+## protocol starts with a clear-text handshake message that reports client and
+## server protocol/software versions. This event provides access to what the
+## server sent.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Secure_Shell>`__ for more
+## information about the SSH protocol.
+##
+## c: The connection.
+##
+## version: The version string the server sent (e.g.,
+##          ``SSH-1.99-OpenSSH_3.9p1``).
+##
+## .. bro:see:: ssh_client_version
+##
+## .. note:: As everything coming after the initial version handshake proceeds
+##    encrypted, Bro cannot further analyze SSH sessions.
+event ssh_server_version%(c: connection, version: string%);
+