diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_utils.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 52 |
2 files changed, 49 insertions, 7 deletions
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ac2c7173c..1d33500ff 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1525,10 +1525,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { return("Malformed packet"); case NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER: - return("SSH obsolete client version/cipher"); + return("SSH Obsolete client version/cipher"); case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER: - return("SSH obsolete server version/cipher"); + return("SSH Obsolete server version/cipher"); default: snprintf(buf, sizeof(buf), "%d", (int)risk); diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 5aca9b350..5927d066b 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -25,10 +25,15 @@ #include "ndpi_protocol_ids.h" #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSH +#define MAJOR_CUTOFF 7 +#define MINOR_CUTOFF 0 +#define PATCH_CUTOFF 0 #include "ndpi_api.h" #include "ndpi_md5.h" +#include <string.h> + /* HASSH - https://github.com/salesforce/hassh @@ -54,18 +59,54 @@ that usually is packet 14 */ -/* #define SSH_DEBUG 1 */ +#define SSH_DEBUG 1 static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /* ************************************************************************ */ -static void ssh_analyse_signature_version(struct ndpi_detection_module_struct *ndpi_struct, +static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { + if (str_to_check == NULL) return; + + int major = 0; + int minor = 0; + int patch = 0; + int obsolete_ssh_version = 0; + + if (sscanf(str_to_check, "SSH-%*f-OpenSSH_%d.%d.%d", &major, &minor, &patch) < 0) + return; + + if ((major || minor || patch) == 0) return; + + /* checking if is an old version */ + if (major < MAJOR_CUTOFF) obsolete_ssh_version = 1; + + else if (major == MAJOR_CUTOFF) { + if (minor < MINOR_CUTOFF) obsolete_ssh_version = 1; + + else if (minor == MINOR_CUTOFF) + if (patch < PATCH_CUTOFF) obsolete_ssh_version = 1; + } + +<<<<<<< HEAD + if (obsolete_ssh_version) { + #ifdef SSH_DEBUG + printf("[SSH] [SSH Version: %d.%d.%d]\n", major, minor, patch); + #endif + + NDPI_SET_BIT(flow->risk, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER)); + } +||||||| f83d0b18 + /* + if(obsolete_ssh_version) + NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); + */ +======= /* if(obsolete_ssh_version) NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); @@ -92,6 +133,7 @@ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, printf("\n"); #endif +>>>>>>> ntop_origin/dev } /* ************************************************************************ */ @@ -328,7 +370,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); + ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); #ifdef SSH_DEBUG printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); @@ -348,7 +390,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); + ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); #ifdef SSH_DEBUG printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); |