Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SSH: split banner into client/server parts

Browse source 
This is prepatatory work and should not lead to functional changes.
Client and server banners can be quite different in practice.
This commit is contained in:
Johanna Amann 2025-03-12 15:06:31 +00:00
parent 1b655836be
commit 629f2bd03a
2 changed files with 34 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

21
src/analyzer/protocol/ssh/ssh-analyzer.pac
View file

@ -58,20 +58,19 @@ const char* fingerprint_md5(const unsigned char* d)
%} %}
refine flow SSH_Flow += { refine flow SSH_Flow += {
function proc_ssh_version(msg: SSH_Version): bool function proc_ssh_version_client(msg: SSH_Version_Client): bool
%{ %{
if ( ssh_client_version && ${msg.is_orig } )
{
zeek::BifEvent::enqueue_ssh_client_version(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_ssh_client_version(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
to_stringval(${msg.version})); to_stringval(${msg.version}));
} return true;
else if ( ssh_server_version ) %}
{
function proc_ssh_version_server(msg: SSH_Version_Server): bool
%{
zeek::BifEvent::enqueue_ssh_server_version(connection()->zeek_analyzer(), zeek::BifEvent::enqueue_ssh_server_version(connection()->zeek_analyzer(),
connection()->zeek_analyzer()->Conn(), connection()->zeek_analyzer()->Conn(),
to_stringval(${msg.version})); to_stringval(${msg.version}));
}
return true; return true;
%} %}
@ -267,8 +266,12 @@ refine flow SSH_Flow += {
%} %}
}; };
refine typeattr SSH_Version += &let { refine typeattr SSH_Version_Client += &let {
proc: bool = $context.flow.proc_ssh_version(this); proc: bool = $context.flow.proc_ssh_version_client(this);
};
refine typeattr SSH_Version_Server += &let {
proc: bool = $context.flow.proc_ssh_version_server(this);
}; };
refine typeattr SSH2_KEXINIT += &let { refine typeattr SSH2_KEXINIT += &let {

20
src/analyzer/protocol/ssh/ssh-protocol.pac
View file

@ -20,16 +20,28 @@ proc: bool = $context.connection.inc_encrypted_byte_count_in_current_segment();
}; };
type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of { type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of {
VERSION_EXCHANGE -> version : SSH_Version(is_orig); VERSION_EXCHANGE -> version : SSH_Version_Switch(is_orig);
ENCRYPTED -> encrypted : EncryptedByte(is_orig); ENCRYPTED -> encrypted : EncryptedByte(is_orig);
default -> kex : SSH_Key_Exchange(is_orig); default -> kex : SSH_Key_Exchange(is_orig);
} &byteorder=bigendian; } &byteorder=bigendian;
type SSH_Version(is_orig: bool) = record { type SSH_Version_Switch(is_orig: bool) = case is_orig of {
true -> client_version : SSH_Version_Client;
false -> server_version: SSH_Version_Server;
};
type SSH_Version_Server = record {
version : bytestring &oneline; version : bytestring &oneline;
} &let { } &let {
update_state : bool = $context.connection.update_state(KEX_INIT, is_orig); update_state : bool = $context.connection.update_state(KEX_INIT, false);
update_version : bool = $context.connection.update_version(version, is_orig); update_version : bool = $context.connection.update_version(version, false);
};
type SSH_Version_Client = record {
version : bytestring &oneline;
} &let {
update_state : bool = $context.connection.update_state(KEX_INIT, true);
update_version : bool = $context.connection.update_version(version, true);
}; };
type SSH_Key_Exchange(is_orig: bool) = record { type SSH_Key_Exchange(is_orig: bool) = record {