diff options
| author | Luca Deri <deri@ntop.org> | 2019-10-25 00:05:18 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-10-25 00:05:18 +0200 |
| commit | e6f9177fdb404cb6066c8d74c08efce9f5090823 (patch) | |
| tree | 673a8921b80cc81c7c75f15f8aba26d2b5081e4f /src/lib/protocols/ssh.c | |
| parent | c3f6a4a57a6fd8c4ee29cac589a177a959f191a1 (diff) | |
SSH dissection improvements
Diffstat (limited to 'src/lib/protocols/ssh.c')
| -rw-r--r-- | src/lib/protocols/ssh.c | 86 |
1 files changed, 46 insertions, 40 deletions
diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 8f2eecb9a..5bdf78959 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -60,8 +60,34 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct /* ************************************************************************ */ +static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + ndpi_search_ssh_tcp(ndpi_struct, flow); + + if((flow->protos.ssh.hassh_client[0] != '\0') + && (flow->protos.ssh.hassh_server[0] != '\0')) { + /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ + return(0); + } + + /* Possibly more processing */ + return(1); +} + +/* ************************************************************************ */ + static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + if(flow->extra_packets_func != NULL) + return; + + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 12; + flow->extra_packets_func = search_ssh_again; + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN); } @@ -185,7 +211,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, /* ssh.languages_server_to_client [None] */ #ifdef SSH_DEBUG - printf("\n[SSH] %s\n", buf); + printf("[SSH] %s\n", buf); #endif return(buf_out_len); @@ -193,7 +219,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, invalid_payload: #ifdef SSH_DEBUG - printf("\n[SSH] Invalid packet payload\n"); + printf("[SSH] Invalid packet payload\n"); #endif return(0); @@ -215,27 +241,11 @@ static void ndpi_ssh_zap_cr(char *str, int len) { /* ************************************************************************ */ -static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_search_ssh_tcp(ndpi_struct, flow); - - if((flow->protos.ssh.hassh_client[0] != '\0') - && (flow->protos.ssh.hassh_server[0] == '\0')) { - /* stop extra processing */ - flow->extra_packets_func = NULL; /* We're good now */ - return(0); - } - - /* Possibly more processing */ - return(1); -} - -/* ************************************************************************ */ - static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; #ifdef SSH_DEBUG - printf("\n[SSH] [stage: %u]\n", flow->l4.tcp.ssh_stage); + printf("[SSH] %s()\n", __FUNCTION__); #endif if(flow->l4.tcp.ssh_stage == 0) { @@ -249,20 +259,13 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); #ifdef SSH_DEBUG - printf("\n[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); + printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); #endif } NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n"); flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; ndpi_int_ssh_add_connection(ndpi_struct, flow); - - /* This is necessary to inform the core to call this dissector again */ - flow->check_extra_packets = 1; - flow->max_extra_packets_to_check = 8; - flow->extra_packets_func = search_ssh_again; - return; } } else if(flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { @@ -276,7 +279,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); #ifdef SSH_DEBUG - printf("\n[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); + printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); #endif NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); @@ -287,7 +290,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } #ifdef SSH_DEBUG - printf("\n[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); + printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); #endif flow->l4.tcp.ssh_stage = 3; @@ -297,16 +300,16 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct u_int8_t msgcode = *(packet->payload + 5); ndpi_MD5_CTX ctx; -#ifdef SSH_DEBUG - printf("\n[SSH] [stage: %u][msg: %u]\n", flow->l4.tcp.ssh_stage, msgcode); -#endif - if(msgcode == 20 /* key exchange init */) { char *hassh_buf = calloc(packet->payload_packet_len, sizeof(char)); u_int i, len; +#ifdef SSH_DEBUG + printf("[SSH] [stage: %u][msg: %u][direction: %u][key exchange init]\n", flow->l4.tcp.ssh_stage, msgcode, packet->packet_direction); +#endif + if(hassh_buf) { - if(flow->l4.tcp.ssh_stage == 3) { + if(packet->packet_direction == 0 /* client */) { u_char fingerprint_client[16]; len = concat_hash_string(packet, hassh_buf, 1 /* client */); @@ -317,7 +320,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct #ifdef SSH_DEBUG { - printf("\n[SSH] [client][%s][", hassh_buf); + printf("[SSH] [client][%s][", hassh_buf); for(i=0; i<16; i++) printf("%02X", fingerprint_client[i]); printf("]\n"); } @@ -335,7 +338,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct #ifdef SSH_DEBUG { - printf("\n[SSH] [server][%s][", hassh_buf); + printf("[SSH] [server][%s][", hassh_buf); for(i=0; i<16; i++) printf("%02X", fingerprint_server[i]); printf("]\n"); } @@ -347,11 +350,14 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct free(hassh_buf); } - } - if(flow->l4.tcp.ssh_stage++ == 4) { - NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); ndpi_int_ssh_add_connection(ndpi_struct, flow); + } + + if((flow->protos.ssh.hassh_client[0] != '\0') && (flow->protos.ssh.hassh_server[0] != '\0')) { +#ifdef SSH_DEBUG + printf("[SSH] Dissection completed\n"); +#endif flow->extra_packets_func = NULL; /* We're good now */ } @@ -359,7 +365,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct } #ifdef SSH_DEBUG - printf("\n[SSH] Excluding SSH"); + printf("[SSH] Excluding SSH"); #endif NDPI_LOG_DBG(ndpi_struct, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); |