SSH: split banner into client/server parts

This is prepatatory work and should not lead to functional changes. Client and server banners can be quite different in practice.
2025-10-02 06:38:20 +00:00 · 2025-03-12 15:06:31 +00:00 · 2025-03-12 15:06:31 +00:00 · 629f2bd03a
commit 629f2bd03a
parent 1b655836be
2 changed files with 34 additions and 19 deletions
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@ -58,20 +58,19 @@ const char* fingerprint_md5(const unsigned char* d)
 %}

 refine flow SSH_Flow += {
-	function proc_ssh_version(msg: SSH_Version): bool
+	function proc_ssh_version_client(msg: SSH_Version_Client): bool
 		%{
-		if ( ssh_client_version && ${msg.is_orig } )
-			{
 		zeek::BifEvent::enqueue_ssh_client_version(connection()->zeek_analyzer(),
 			connection()->zeek_analyzer()->Conn(),
 			to_stringval(${msg.version}));
-			}
-		else if ( ssh_server_version )
-			{
+		return true;
+		%}
+
+	function proc_ssh_version_server(msg: SSH_Version_Server): bool
+		%{
 		zeek::BifEvent::enqueue_ssh_server_version(connection()->zeek_analyzer(),
 			connection()->zeek_analyzer()->Conn(),
 			to_stringval(${msg.version}));
-			}
 		return true;
 		%}

@ -267,8 +266,12 @@ refine flow SSH_Flow += {
 		%}
 };

-refine typeattr SSH_Version += &let {
-	proc: bool = $context.flow.proc_ssh_version(this);
+refine typeattr SSH_Version_Client += &let {
+	proc: bool = $context.flow.proc_ssh_version_client(this);
+};
+
+refine typeattr SSH_Version_Server += &let {
+	proc: bool = $context.flow.proc_ssh_version_server(this);
 };

 refine typeattr SSH2_KEXINIT += &let {
--- a/src/analyzer/protocol/ssh/ssh-protocol.pac
+++ b/src/analyzer/protocol/ssh/ssh-protocol.pac
@ -20,16 +20,28 @@ proc: bool = $context.connection.inc_encrypted_byte_count_in_current_segment();
 };

 type SSH_PDU(is_orig: bool) = case $context.connection.get_state(is_orig) of {
-	VERSION_EXCHANGE -> version   : SSH_Version(is_orig);
+	VERSION_EXCHANGE -> version   : SSH_Version_Switch(is_orig);
 	ENCRYPTED        -> encrypted : EncryptedByte(is_orig);
 	default          -> kex       : SSH_Key_Exchange(is_orig);
 } &byteorder=bigendian;

-type SSH_Version(is_orig: bool) = record {
+type SSH_Version_Switch(is_orig: bool) = case is_orig of {
+	true -> client_version : SSH_Version_Client;
+	false -> server_version: SSH_Version_Server;
+};
+
+type SSH_Version_Server = record {
 	version : bytestring &oneline;
 } &let {
-	update_state   : bool = $context.connection.update_state(KEX_INIT, is_orig);
-	update_version : bool = $context.connection.update_version(version, is_orig);
+	update_state   : bool = $context.connection.update_state(KEX_INIT, false);
+	update_version : bool = $context.connection.update_version(version, false);
+};
+
+type SSH_Version_Client = record {
+	version : bytestring &oneline;
+} &let {
+	update_state   : bool = $context.connection.update_state(KEX_INIT, true);
+	update_version : bool = $context.connection.update_version(version, true);
 };

 type SSH_Key_Exchange(is_orig: bool) = record {