Detect ssh rust v2

rust/src/ssh/detect.rs

@@ -15,7 +15,9 @@
  * 02110-1301, USA.
  */
 
-use super::ssh::{SSHConnectionState, SSHTransaction, ALPROTO_SSH};
+use super::ssh::{
+    SCSshEnableHassh, SCSshHasshIsEnabled, SSHConnectionState, SSHTransaction, ALPROTO_SSH,
+};
 use crate::core::{STREAM_TOCLIENT, STREAM_TOSERVER};
 use crate::detect::{helper_keyword_register_sticky_buffer, SigTableElmtStickyBuffer};
 use crate::direction::Direction;
@@ -24,7 +26,8 @@ use std::ptr;
 use suricata_sys::sys::{
     DetectEngineCtx, SCDetectBufferSetActiveList, SCDetectHelperBufferProgressMpmRegister,
     SCDetectHelperKeywordAliasRegister, SCDetectHelperKeywordRegister,
-    SCDetectSignatureSetAppProto, SCSigTableAppLiteElmt, Signature,
+    SCDetectRegisterBufferLowerMd5Callbacks, SCDetectSignatureSetAppProto,
+    SCSigMatchSilentErrorEnabled, SCSigTableAppLiteElmt, Signature,
 };
 
 #[no_mangle]
@@ -86,60 +89,60 @@ pub unsafe extern "C" fn SCSshTxGetSoftware(
 
 #[no_mangle]
 pub unsafe extern "C" fn SCSshTxGetHassh(
-    tx: *mut std::os::raw::c_void, buffer: *mut *const u8, buffer_len: *mut u32, direction: u8,
-) -> u8 {
+    tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32,
+) -> bool {
     let tx = cast_pointer!(tx, SSHTransaction);
     match direction.into() {
         Direction::ToServer => {
             let m = &tx.cli_hdr.hassh;
             if !m.is_empty() {
                 *buffer = m.as_ptr();
                 *buffer_len = m.len() as u32;
-                return 1;
+                return true;
             }
         }
         Direction::ToClient => {
             let m = &tx.srv_hdr.hassh;
             if !m.is_empty() {
                 *buffer = m.as_ptr();
                 *buffer_len = m.len() as u32;
-                return 1;
+                return true;
             }
         }
     }
     *buffer = ptr::null();
     *buffer_len = 0;
 
-    return 0;
+    return false;
 }
 
 #[no_mangle]
 pub unsafe extern "C" fn SCSshTxGetHasshString(
-    tx: *mut std::os::raw::c_void, buffer: *mut *const u8, buffer_len: *mut u32, direction: u8,
-) -> u8 {
+    tx: *const c_void, direction: u8, buffer: *mut *const u8, buffer_len: *mut u32,
+) -> bool {
     let tx = cast_pointer!(tx, SSHTransaction);
     match direction.into() {
         Direction::ToServer => {
             let m = &tx.cli_hdr.hassh_string;
             if !m.is_empty() {
                 *buffer = m.as_ptr();
                 *buffer_len = m.len() as u32;
-                return 1;
+                return true;
             }
         }
         Direction::ToClient => {
             let m = &tx.srv_hdr.hassh_string;
             if !m.is_empty() {
                 *buffer = m.as_ptr();
                 *buffer_len = m.len() as u32;
-                return 1;
+                return true;
             }
         }
     }
     *buffer = ptr::null();
     *buffer_len = 0;
 
-    return 0;
+    return false;
 }
 
 unsafe extern "C" fn ssh_software_setup(
@@ -166,6 +169,94 @@ unsafe extern "C" fn ssh_proto_setup(
     return 0;
 }
 
+unsafe extern "C" fn ssh_hassh_string_setup(
+    de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
+) -> c_int {
+    if SCDetectSignatureSetAppProto(s, ALPROTO_SSH) != 0 {
+        return -1;
+    }
+    if SCDetectBufferSetActiveList(de, s, G_SSH_HASSH_STR_BUFFER_ID) < 0 {
+        return -1;
+    }
+    /* try to enable Hassh */
+    SCSshEnableHassh();
+
+    /* Check if Hassh is disabled */
+    if !SCSshHasshIsEnabled() {
+        if !SCSigMatchSilentErrorEnabled(de, DETECT_SSH_HASSH_STRING) {
+            SCLogError!("hassh support is not enabled");
+        }
+        return -2;
+    }
+    return 0;
+}
+
+unsafe extern "C" fn ssh_hassh_server_string_setup(
+    de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
+) -> c_int {
+    if SCDetectSignatureSetAppProto(s, ALPROTO_SSH) != 0 {
+        return -1;
+    }
+    if SCDetectBufferSetActiveList(de, s, G_SSH_HASSH_SRV_STR_BUFFER_ID) < 0 {
+        return -1;
+    }
+    /* try to enable Hassh */
+    SCSshEnableHassh();
+
+    /* Check if Hassh is disabled */
+    if !SCSshHasshIsEnabled() {
+        if !SCSigMatchSilentErrorEnabled(de, DETECT_SSH_HASSH_SERVER_STRING) {
+            SCLogError!("hassh support is not enabled");
+        }
+        return -2;
+    }
+    return 0;
+}
+
+unsafe extern "C" fn ssh_hassh_setup(
+    de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
+) -> c_int {
+    if SCDetectSignatureSetAppProto(s, ALPROTO_SSH) != 0 {
+        return -1;
+    }
+    if SCDetectBufferSetActiveList(de, s, G_SSH_HASSH_BUFFER_ID) < 0 {
+        return -1;
+    }
+    /* try to enable Hassh */
+    SCSshEnableHassh();
+
+    /* Check if Hassh is disabled */
+    if !SCSshHasshIsEnabled() {
+        if !SCSigMatchSilentErrorEnabled(de, DETECT_SSH_HASSH) {
+            SCLogError!("hassh support is not enabled");
+        }
+        return -2;
+    }
+    return 0;
+}
+
+unsafe extern "C" fn ssh_hassh_server_setup(
+    de: *mut DetectEngineCtx, s: *mut Signature, _raw: *const std::os::raw::c_char,
+) -> c_int {
+    if SCDetectSignatureSetAppProto(s, ALPROTO_SSH) != 0 {
+        return -1;
+    }
+    if SCDetectBufferSetActiveList(de, s, G_SSH_HASSH_SRV_BUFFER_ID) < 0 {
+        return -1;
+    }
+    /* try to enable Hassh */
+    SCSshEnableHassh();
+
+    /* Check if Hassh is disabled */
+    if !SCSshHasshIsEnabled() {
+        if !SCSigMatchSilentErrorEnabled(de, DETECT_SSH_HASSH_SERVER) {
+            SCLogError!("hassh support is not enabled");
+        }
+        return -2;
+    }
+    return 0;
+}
+
 unsafe extern "C" fn ssh_software_obsolete_setup(
     _de: *mut DetectEngineCtx, _s: *mut Signature, _raw: *const std::os::raw::c_char,
 ) -> c_int {
@@ -182,6 +273,15 @@ unsafe extern "C" fn ssh_proto_obsolete_setup(
 
 static mut G_SSH_SOFTWARE_BUFFER_ID: c_int = 0;
 static mut G_SSH_PROTO_BUFFER_ID: c_int = 0;
+static mut G_SSH_HASSH_STR_BUFFER_ID: c_int = 0;
+static mut G_SSH_HASSH_SRV_STR_BUFFER_ID: c_int = 0;
+static mut G_SSH_HASSH_BUFFER_ID: c_int = 0;
+static mut G_SSH_HASSH_SRV_BUFFER_ID: c_int = 0;
+
+static mut DETECT_SSH_HASSH_STRING: u16 = 0;
+static mut DETECT_SSH_HASSH_SERVER_STRING: u16 = 0;
+static mut DETECT_SSH_HASSH: u16 = 0;
+static mut DETECT_SSH_HASSH_SERVER: u16 = 0;
 
 #[no_mangle]
 pub unsafe extern "C" fn SCDetectSshRegister() {
@@ -246,4 +346,86 @@ pub unsafe extern "C" fn SCDetectSshRegister() {
         ssh_proto_kw_id,
         b"ssh_proto\0".as_ptr() as *const libc::c_char,
     );
+
+    let kw = SigTableElmtStickyBuffer {
+        name: String::from("ssh.hassh.string"),
+        desc: String::from("ssh.hassh.string sticky buffer"),
+        url: String::from("/rules/ssh-keywords.html#hassh.string"),
+        setup: ssh_hassh_string_setup,
+    };
+    DETECT_SSH_HASSH_STRING = helper_keyword_register_sticky_buffer(&kw);
+    G_SSH_HASSH_STR_BUFFER_ID = SCDetectHelperBufferProgressMpmRegister(
+        b"ssh.hassh.string\0".as_ptr() as *const libc::c_char,
+        b"Ssh Client Key Exchange methods For ssh Clients\0".as_ptr() as *const libc::c_char,
+        ALPROTO_SSH,
+        STREAM_TOSERVER,
+        Some(SCSshTxGetHasshString),
+        SSHConnectionState::SshStateBannerDone as c_int,
+    );
+    SCDetectHelperKeywordAliasRegister(
+        DETECT_SSH_HASSH_STRING,
+        b"ssh-hassh-string\0".as_ptr() as *const libc::c_char,
+    );
+
+    let kw = SigTableElmtStickyBuffer {
+        name: String::from("ssh.hassh.server.string"),
+        desc: String::from("ssh.hassh.server.string sticky buffer"),
+        url: String::from("/rules/ssh-keywords.html#ssh.hassh.server.string"),
+        setup: ssh_hassh_server_string_setup,
+    };
+    DETECT_SSH_HASSH_SERVER_STRING = helper_keyword_register_sticky_buffer(&kw);
+    G_SSH_HASSH_SRV_STR_BUFFER_ID = SCDetectHelperBufferProgressMpmRegister(
+        b"ssh.hassh.server.string\0".as_ptr() as *const libc::c_char,
+        b"Ssh Client Key Exchange methods For ssh Servers\0".as_ptr() as *const libc::c_char,
+        ALPROTO_SSH,
+        STREAM_TOCLIENT,
+        Some(SCSshTxGetHasshString),
+        SSHConnectionState::SshStateBannerDone as c_int,
+    );
+    SCDetectHelperKeywordAliasRegister(
+        DETECT_SSH_HASSH_SERVER_STRING,
+        b"ssh-hassh-server-string\0".as_ptr() as *const libc::c_char,
+    );
+
+    let kw = SigTableElmtStickyBuffer {
+        name: String::from("ssh.hassh"),
+        desc: String::from("ssh.hassh sticky buffer"),
+        url: String::from("/rules/ssh-keywords.html#hassh"),
+        setup: ssh_hassh_setup,
+    };
+    DETECT_SSH_HASSH = helper_keyword_register_sticky_buffer(&kw);
+    G_SSH_HASSH_BUFFER_ID = SCDetectHelperBufferProgressMpmRegister(
+        b"ssh.hassh\0".as_ptr() as *const libc::c_char,
+        b"Ssh Client Fingerprinting For Ssh Clients\0".as_ptr() as *const libc::c_char,
+        ALPROTO_SSH,
+        STREAM_TOSERVER,
+        Some(SCSshTxGetHassh),
+        SSHConnectionState::SshStateBannerDone as c_int,
+    );
+    SCDetectHelperKeywordAliasRegister(
+        DETECT_SSH_HASSH,
+        b"ssh-hassh\0".as_ptr() as *const libc::c_char,
+    );
+    SCDetectRegisterBufferLowerMd5Callbacks(b"ssh.hassh\0".as_ptr() as *const libc::c_char);
+
+    let kw = SigTableElmtStickyBuffer {
+        name: String::from("ssh.hassh.server"),
+        desc: String::from("ssh.hassh.server sticky buffer"),
+        url: String::from("/rules/ssh-keywords.html#ssh.hassh.server"),
+        setup: ssh_hassh_server_setup,
+    };
+    DETECT_SSH_HASSH_SERVER = helper_keyword_register_sticky_buffer(&kw);
+    G_SSH_HASSH_SRV_BUFFER_ID = SCDetectHelperBufferProgressMpmRegister(
+        b"ssh.hassh.server\0".as_ptr() as *const libc::c_char,
+        b"Ssh Client Fingerprinting For Ssh Servers\0".as_ptr() as *const libc::c_char,
+        ALPROTO_SSH,
+        STREAM_TOCLIENT,
+        Some(SCSshTxGetHassh),
+        SSHConnectionState::SshStateBannerDone as c_int,
+    );
+    SCDetectHelperKeywordAliasRegister(
+        DETECT_SSH_HASSH_SERVER,
+        b"ssh-hassh-server\0".as_ptr() as *const libc::c_char,
+    );
+    SCDetectRegisterBufferLowerMd5Callbacks(b"ssh.hassh.server\0".as_ptr() as *const libc::c_char);
 }

rust/sys/src/sys.rs

@@ -477,6 +477,9 @@ extern "C" {
         kw: *const SCTransformTableElmt,
     ) -> ::std::os::raw::c_int;
 }
+extern "C" {
+    pub fn SCDetectRegisterBufferLowerMd5Callbacks(name: *const ::std::os::raw::c_char);
+}
 #[repr(C)]
 #[derive(Debug, Default, Copy, Clone)]
 pub struct DeStateStoreItem_ {
@@ -548,6 +551,9 @@ extern "C" {
         arg5: ::std::os::raw::c_int,
     ) -> *mut SigMatch;
 }
+extern "C" {
+    pub fn SCSigMatchSilentErrorEnabled(de_ctx: *const DetectEngineCtx, id: u16) -> bool;
+}
 extern "C" {
     pub fn SCDetectSignatureSetAppProto(
         s: *mut Signature, alproto: AppProto,

src/Makefile.am

@@ -283,10 +283,6 @@ noinst_HEADERS = \
 	detect-smb-share.h \
 	detect-smb-version.h \
 	detect-smtp.h \
-	detect-ssh-hassh-server-string.h \
-	detect-ssh-hassh-server.h \
-	detect-ssh-hassh-string.h \
-	detect-ssh-hassh.h \
 	detect-ssl-state.h \
 	detect-ssl-version.h \
 	detect-stream_size.h \
@@ -879,10 +875,6 @@ libsuricata_c_a_SOURCES = \
 	detect-smb-share.c \
 	detect-smb-version.c \
 	detect-smtp.c \
-	detect-ssh-hassh-server-string.c \
-	detect-ssh-hassh-server.c \
-	detect-ssh-hassh-string.c \
-	detect-ssh-hassh.c \
 	detect-ssl-state.c \
 	detect-ssl-version.c \
 	detect-stream_size.c \

src/detect-engine-helper.c

@@ -169,3 +169,9 @@ int SCDetectHelperTransformRegister(const SCTransformTableElmt *kw)
 
     return transform_id;
 }
+
+void SCDetectRegisterBufferLowerMd5Callbacks(const char *name)
+{
+    DetectBufferTypeRegisterSetupCallback(name, DetectLowerSetupCallback);
+    DetectBufferTypeRegisterValidateCallback(name, DetectMd5ValidateCallback);
+}

src/detect-engine-helper.h

@@ -93,4 +93,6 @@ int SCDetectHelperMultiBufferProgressMpmRegister(const char *name, const char *d
 
 int SCDetectHelperTransformRegister(const SCTransformTableElmt *kw);
 
+void SCDetectRegisterBufferLowerMd5Callbacks(const char *name);
+
 #endif /* SURICATA_DETECT_ENGINE_HELPER_H */

src/detect-engine-register.c

@@ -234,10 +234,6 @@
 #include "detect-tls.h"
 #include "detect-tls-cert-validity.h"
 #include "detect-tls-version.h"
-#include "detect-ssh-hassh.h"
-#include "detect-ssh-hassh-server.h"
-#include "detect-ssh-hassh-string.h"
-#include "detect-ssh-hassh-server-string.h"
 #include "detect-http-stat-code.h"
 #include "detect-ssl-version.h"
 #include "detect-ssl-state.h"
@@ -710,10 +706,6 @@ void SigTableSetup(void)
     DetectBsizeRegister();
     DetectDetectionFilterRegister();
     DetectAsn1Register();
-    DetectSshHasshRegister();
-    DetectSshHasshServerRegister();
-    DetectSshHasshStringRegister();
-    DetectSshHasshServerStringRegister();
     DetectSslStateRegister();
     DetectSslVersionRegister();
     DetectByteExtractRegister();

src/detect-engine-register.h

@@ -189,10 +189,6 @@ enum DetectKeywordId {
     DETECT_HTTP_REQUEST_LINE,
     DETECT_HTTP_RESPONSE_LINE,
     DETECT_NFS_VERSION,
-    DETECT_SSH_HASSH,
-    DETECT_SSH_HASSH_SERVER,
-    DETECT_SSH_HASSH_STRING,
-    DETECT_SSH_HASSH_SERVER_STRING,
     DETECT_SSL_VERSION,
     DETECT_SSL_STATE,
     DETECT_FILE_DATA,