From 4b4dcabedaa7fff668f6fea495010cbafb094904 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Tue, 21 Jul 2020 19:29:59 +0200 Subject: added ssh obsolete version risks --- src/include/ndpi_typedefs.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 90f4981f5..affb29826 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -76,6 +76,8 @@ typedef enum { NDPI_TLS_NOT_CARRYING_HTTPS, NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_MALFORMED_PACKET, + NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE, + NDPI_SSH_OBSOLETE_SERVER_SIGNATURE, /* Leave this as last member */ NDPI_MAX_RISK -- cgit v1.2.3 From f66cd5aabc4319e64fd4fd6290afefbff1b4ed69 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Tue, 21 Jul 2020 19:31:02 +0200 Subject: added ssh_analyse_signature_version and ssh_has_old_signature for check old signature version of ssh --- src/lib/protocols/ssh.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 90 insertions(+), 3 deletions(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 7679a2337..c5d502ad7 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -29,6 +29,8 @@ #include "ndpi_api.h" #include "ndpi_md5.h" +#include + /* HASSH - https://github.com/salesforce/hassh @@ -60,17 +62,102 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct /* ************************************************************************ */ +static int ssh_has_old_signature(char *signature) { + int is_old = 0; + int i = 0; + + char *old_versions[46] = { + "OpenSSH_1.2.2", + "OpenSSH_2.5.1", + "OpenSSH_2.9.9", + "OpenSSH_3.0", + "OpenSSH_3.4", + "OpenSSH_3.5", + "OpenSSH_3.6", + "OpenSSH_3.6.1", + "OpenSSH_3.7", + "OpenSSH_3.7.1", + "OpenSSH_3.8", + "OpenSSH_3.9", + "OpenSSH_4.0", + "OpenSSH_4.1", + "OpenSSH_4.2", + "OpenSSH_4.3", + "OpenSSH_4.4", + "OpenSSH_4.5", + "OpenSSH_4.6", + "OpenSSH_4.7", + "OpenSSH_4.9", + "OpenSSH_5.0", + "OpenSSH_5.1", + "OpenSSH_5.2", + "OpenSSH_5.3", + "OpenSSH_5.4", + "OpenSSH_5.5", + "OpenSSH_5.6", + "OpenSSH_5.7", + "OpenSSH_5.8", + "OpenSSH_5.9", + "OpenSSH_6.0", + "OpenSSH_6.1", + "OpenSSH_6.2", + "OpenSSH_6.3", + "OpenSSH_6.4", + "OpenSSH_6.5", + "OpenSSH_6.6", + "OpenSSH_6.7", + "OpenSSH_6.8", + "OpenSSH_6.9", + "OpenSSH_7.0", + "OpenSSH_7.1", + "OpenSSH_7.3", + "OpenSSH_7.4", + "OpenSSH_7.5" + }; + + while (i < 46 && !is_old) { + if (strstr(old_versions[i], signature) != NULL) + is_old = 1; + + i++; + } + + return is_old; +} + +/* ************************************************************************ */ + static void ssh_analyse_signature_version(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { + if (str_to_check == NULL) return; + + char *copy = (char*)malloc(sizeof(char)*strlen(str_to_check)); + char *rest; + char *signature; + int obsolete_ssh_version; + + strcpy(copy, str_to_check); + + strtok_r(copy, "-", &rest); // SSH + strtok_r(NULL, "-", &rest); // 2.0 + + // OpenSSH_X.X + signature = strtok_r(NULL, "-", &rest); + + if (signature == NULL) return; + + obsolete_ssh_version = ssh_has_old_signature(signature); + + #ifdef SSH_DEBUG + if(obsolete_ssh_version) + printf("[SSH] %s: obsolete signature\n", signature); + #endif - /* if(obsolete_ssh_version) NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); - */ - } /* ************************************************************************ */ -- cgit v1.2.3 From 847eb7b1805e84d2ff90e99398d6a02429907d24 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 10:54:55 +0200 Subject: improved performance by removing linear scan --- src/lib/protocols/ssh.c | 116 +++++++++++++++--------------------------------- 1 file changed, 37 insertions(+), 79 deletions(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index c5d502ad7..ac1146ba0 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -25,6 +25,7 @@ #include "ndpi_protocol_ids.h" #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSH +#define VERSION_CUTOFF 7 #include "ndpi_api.h" #include "ndpi_md5.h" @@ -59,105 +60,62 @@ /* #define SSH_DEBUG 1 */ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - -/* ************************************************************************ */ - -static int ssh_has_old_signature(char *signature) { - int is_old = 0; - int i = 0; - - char *old_versions[46] = { - "OpenSSH_1.2.2", - "OpenSSH_2.5.1", - "OpenSSH_2.9.9", - "OpenSSH_3.0", - "OpenSSH_3.4", - "OpenSSH_3.5", - "OpenSSH_3.6", - "OpenSSH_3.6.1", - "OpenSSH_3.7", - "OpenSSH_3.7.1", - "OpenSSH_3.8", - "OpenSSH_3.9", - "OpenSSH_4.0", - "OpenSSH_4.1", - "OpenSSH_4.2", - "OpenSSH_4.3", - "OpenSSH_4.4", - "OpenSSH_4.5", - "OpenSSH_4.6", - "OpenSSH_4.7", - "OpenSSH_4.9", - "OpenSSH_5.0", - "OpenSSH_5.1", - "OpenSSH_5.2", - "OpenSSH_5.3", - "OpenSSH_5.4", - "OpenSSH_5.5", - "OpenSSH_5.6", - "OpenSSH_5.7", - "OpenSSH_5.8", - "OpenSSH_5.9", - "OpenSSH_6.0", - "OpenSSH_6.1", - "OpenSSH_6.2", - "OpenSSH_6.3", - "OpenSSH_6.4", - "OpenSSH_6.5", - "OpenSSH_6.6", - "OpenSSH_6.7", - "OpenSSH_6.8", - "OpenSSH_6.9", - "OpenSSH_7.0", - "OpenSSH_7.1", - "OpenSSH_7.3", - "OpenSSH_7.4", - "OpenSSH_7.5" - }; - - while (i < 46 && !is_old) { - if (strstr(old_versions[i], signature) != NULL) - is_old = 1; - - i++; - } - - return is_old; -} /* ************************************************************************ */ -static void ssh_analyse_signature_version(struct ndpi_detection_module_struct *ndpi_struct, +static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *str_to_check, u_int8_t is_client_signature) { if (str_to_check == NULL) return; - - char *copy = (char*)malloc(sizeof(char)*strlen(str_to_check)); - char *rest; + + char *rem; char *signature; - int obsolete_ssh_version; + char *version; + int major_number; + char *copy = (char*)ndpi_malloc(sizeof(char)*(strlen(str_to_check)+1)); + int obsolete_ssh_version = 0; + + /* + string example: SSH-2.0-OpenSSH_5.3 + */ strcpy(copy, str_to_check); - strtok_r(copy, "-", &rest); // SSH - strtok_r(NULL, "-", &rest); // 2.0 + /* SSH */ + strtok_r(copy, "-", &rem); + + /* 2.0 */ + strtok_r(NULL, "-", &rem); - // OpenSSH_X.X - signature = strtok_r(NULL, "-", &rest); + /* signature = OpenSSH_5.3 */ + signature = strtok_r(NULL, "-", &rem); + + /* OpenSSH */ + strtok_r(signature, "_", &rem); + + /* version = 5.3 */ + version = strtok_r(NULL, "_", &rem); - if (signature == NULL) return; + if (version == NULL) return; - obsolete_ssh_version = ssh_has_old_signature(signature); + /* major_number = 5 */ + major_number = atoi(strtok_r(version, ".", &rem)); + + if (major_number < VERSION_CUTOFF) { + obsolete_ssh_version = 1; + } #ifdef SSH_DEBUG if(obsolete_ssh_version) - printf("[SSH] %s: obsolete signature\n", signature); + printf("[SSH] Obsolete signature\n"); #endif if(obsolete_ssh_version) NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); + + ndpi_free(copy); } /* ************************************************************************ */ @@ -390,7 +348,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); + ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); #ifdef SSH_DEBUG printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); @@ -410,7 +368,7 @@ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - ssh_analyse_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); + ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); #ifdef SSH_DEBUG printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); -- cgit v1.2.3 From 9c521c5dddfe2e9d59e6a6e42bb43269894b4ea8 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 10:55:53 +0200 Subject: added new risks iside ndpi_risk2str function --- src/lib/ndpi_utils.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index b1a2514dd..66b33a708 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1524,6 +1524,12 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { case NDPI_MALFORMED_PACKET: return("Malformed packet"); + case NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE: + return("SSH obsolete client signature"); + + case NDPI_SSH_OBSOLETE_SERVER_SIGNATURE: + return("SSH obsolete server signature"); + default: snprintf(buf, sizeof(buf), "%d", (int)risk); return(buf); -- cgit v1.2.3 From 53b2b08aeb2682fbdf87075aa9312897a46d764e Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 10:56:59 +0200 Subject: added new risks to ndpi_risk_enum --- python/ndpi.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python/ndpi.py b/python/ndpi.py index 31abe53dc..316fa5606 100644 --- a/python/ndpi.py +++ b/python/ndpi.py @@ -306,6 +306,8 @@ typedef enum { NDPI_TLS_NOT_CARRYING_HTTPS, NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_MALFORMED_PACKET, + NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE, + NDPI_SSH_OBSOLETE_SERVER_SIGNATURE, /* Leave this as last member */ NDPI_MAX_RISK } ndpi_risk_enum; -- cgit v1.2.3 From a688e36b515ab01a121c08193d98984829cbac36 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 11:44:56 +0200 Subject: improved ndpi_risk2str output for new risks --- src/lib/ndpi_utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index 66b33a708..ee3d7bc71 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1525,10 +1525,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { return("Malformed packet"); case NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE: - return("SSH obsolete client signature"); + return("SSH Obsolete Client Signature"); case NDPI_SSH_OBSOLETE_SERVER_SIGNATURE: - return("SSH obsolete server signature"); + return("SSH Obsolete Server Signature"); default: snprintf(buf, sizeof(buf), "%d", (int)risk); -- cgit v1.2.3 From 88dd3ebd62135925eea999a98c1e0a726807ab59 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 12:41:59 +0200 Subject: added modified risks --- python/ndpi.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/ndpi.py b/python/ndpi.py index 316fa5606..547570b9d 100644 --- a/python/ndpi.py +++ b/python/ndpi.py @@ -306,8 +306,8 @@ typedef enum { NDPI_TLS_NOT_CARRYING_HTTPS, NDPI_SUSPICIOUS_DGA_DOMAIN, NDPI_MALFORMED_PACKET, - NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE, - NDPI_SSH_OBSOLETE_SERVER_SIGNATURE, + NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, + NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, /* Leave this as last member */ NDPI_MAX_RISK } ndpi_risk_enum; -- cgit v1.2.3 From 8e2cd9ff4320ead7cced1f7bb76b0ee565d88546 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 12:42:26 +0200 Subject: improved performance and legibility --- src/lib/protocols/ssh.c | 52 +++++++++++-------------------------------------- 1 file changed, 11 insertions(+), 41 deletions(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index ac1146ba0..5d10e2c93 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -25,7 +25,7 @@ #include "ndpi_protocol_ids.h" #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSH -#define VERSION_CUTOFF 7 +#define VERSION_CUTOFF 7.0 #include "ndpi_api.h" #include "ndpi_md5.h" @@ -57,7 +57,7 @@ that usually is packet 14 */ -/* #define SSH_DEBUG 1 */ +#define SSH_DEBUG 1 static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -70,52 +70,22 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n if (str_to_check == NULL) return; - char *rem; - char *signature; - char *version; - int major_number; - - char *copy = (char*)ndpi_malloc(sizeof(char)*(strlen(str_to_check)+1)); + float version = 0.0; int obsolete_ssh_version = 0; - /* - string example: SSH-2.0-OpenSSH_5.3 - */ - strcpy(copy, str_to_check); + sscanf(str_to_check, "SSH-%*f-OpenSSH_%f.%*s", &version); - /* SSH */ - strtok_r(copy, "-", &rem); + if (version == 0.0) return; - /* 2.0 */ - strtok_r(NULL, "-", &rem); - - /* signature = OpenSSH_5.3 */ - signature = strtok_r(NULL, "-", &rem); + obsolete_ssh_version = version < VERSION_CUTOFF; - /* OpenSSH */ - strtok_r(signature, "_", &rem); - - /* version = 5.3 */ - version = strtok_r(NULL, "_", &rem); - - if (version == NULL) return; + if (obsolete_ssh_version) { + #ifdef SSH_DEBUG + printf("[SSH] [SSH Version: %.1f]\n", version); + #endif - /* major_number = 5 */ - major_number = atoi(strtok_r(version, ".", &rem)); - - if (major_number < VERSION_CUTOFF) { - obsolete_ssh_version = 1; + NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER); } - - #ifdef SSH_DEBUG - if(obsolete_ssh_version) - printf("[SSH] Obsolete signature\n"); - #endif - - if(obsolete_ssh_version) - NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); - - ndpi_free(copy); } /* ************************************************************************ */ -- cgit v1.2.3 From af5d792c0836d14668edb1477afda9949ba699e2 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 13:06:08 +0200 Subject: added sscanf error handling --- src/lib/protocols/ssh.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 5d10e2c93..fa019691b 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -25,7 +25,9 @@ #include "ndpi_protocol_ids.h" #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSH -#define VERSION_CUTOFF 7.0 +#define MAJOR_CUTOFF 7 +#define MINOR_CUTOFF 0 +#define PATCH_CUTOFF 0 #include "ndpi_api.h" #include "ndpi_md5.h" @@ -70,18 +72,29 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n if (str_to_check == NULL) return; - float version = 0.0; + int major = 0; + int minor = 0; + int patch = 0; int obsolete_ssh_version = 0; - sscanf(str_to_check, "SSH-%*f-OpenSSH_%f.%*s", &version); + if (sscanf(str_to_check, "SSH-%*f-OpenSSH_%d.%d.%d", &major, &minor, &patch) < 0) + return; + + if ((major || minor || patch) == 0) return; - if (version == 0.0) return; + /* checking if is an old version */ + if (major < MAJOR_CUTOFF) obsolete_ssh_version = 1; - obsolete_ssh_version = version < VERSION_CUTOFF; + else if (major == MAJOR_CUTOFF) { + if (minor < MINOR_CUTOFF) obsolete_ssh_version = 1; + + else if (minor == MINOR_CUTOFF) + if (patch < PATCH_CUTOFF) obsolete_ssh_version = 1; + } if (obsolete_ssh_version) { #ifdef SSH_DEBUG - printf("[SSH] [SSH Version: %.1f]\n", version); + printf("[SSH] [SSH Version: %d.%d.%d]\n", major, minor, patch); #endif NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER); -- cgit v1.2.3 From c450caae94f4e2fa073391580fd26cbd19379c7b Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 15:38:31 +0200 Subject: modified new last two risks --- src/lib/ndpi_utils.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c index ac2c7173c..1d33500ff 100644 --- a/src/lib/ndpi_utils.c +++ b/src/lib/ndpi_utils.c @@ -1525,10 +1525,10 @@ const char* ndpi_risk2str(ndpi_risk_enum risk) { return("Malformed packet"); case NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER: - return("SSH obsolete client version/cipher"); + return("SSH Obsolete client version/cipher"); case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER: - return("SSH obsolete server version/cipher"); + return("SSH Obsolete server version/cipher"); default: snprintf(buf, sizeof(buf), "%d", (int)risk); -- cgit v1.2.3 From a3ba9253ef3c3ca9fb45348e6dc019c6cf694e31 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 15:39:44 +0200 Subject: fixed bug inside set bit macro call --- src/lib/protocols/ssh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index fa019691b..1b876a42e 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -97,7 +97,7 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n printf("[SSH] [SSH Version: %d.%d.%d]\n", major, minor, patch); #endif - NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER); + NDPI_SET_BIT(flow->risk, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER)); } } -- cgit v1.2.3 From a9ca47fcdba6e641f5a2b961ca77536525c8db0c Mon Sep 17 00:00:00 2001 From: MrRadix Date: Wed, 22 Jul 2020 17:17:12 +0200 Subject: added cipher check --- src/lib/protocols/ssh.c | 73 +++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 29 deletions(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 5927d066b..181f84317 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -59,7 +59,7 @@ that usually is packet 14 */ -#define SSH_DEBUG 1 +/* #define SSH_DEBUG 1 */ static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -77,7 +77,7 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n int patch = 0; int obsolete_ssh_version = 0; - if (sscanf(str_to_check, "SSH-%*f-OpenSSH_%d.%d.%d", &major, &minor, &patch) < 0) + if (sscanf(str_to_check, "SSH-%*f-OpenSSH_%d.%d.%d", &major, &minor, &patch) != 3) return; if ((major || minor || patch) == 0) return; @@ -92,7 +92,6 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n if (patch < PATCH_CUTOFF) obsolete_ssh_version = 1; } -<<<<<<< HEAD if (obsolete_ssh_version) { #ifdef SSH_DEBUG printf("[SSH] [SSH Version: %d.%d.%d]\n", major, minor, patch); @@ -100,42 +99,58 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n NDPI_SET_BIT(flow->risk, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER)); } -||||||| f83d0b18 - /* - if(obsolete_ssh_version) - NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); - */ - -======= - /* - if(obsolete_ssh_version) - NDPI_SET_BIT(flow->risk, is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_SIGNATURE : NDPI_SSH_OBSOLETE_SERVER_SIGNATURE); - */ } /* ************************************************************************ */ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - char *cipher, u_int cipher_len, + char *ciphers, u_int cipher_len, u_int8_t is_client_signature) { - /* - List of obsolete ciphers can be found at - https://www.linuxminion.com/deprecated-ssh-cryptographic-settings/ - */ -#ifdef SSH_DEBUG - u_int i; - - printf("[%s] ", is_client_signature ? "CLIENT" : "SERVER"); - for(i=0; i>>>>>> ntop_origin/dev + char *obsolete_ciphers[6] = { + "arcfour256", + "arcfour128", + "3des-cbc", + "blowfish-cbc", + "cast128-cbc", + "arcfour", + }; + + char *copy = (char*)ndpi_calloc(cipher_len, sizeof(char)); + + if (strncpy(copy, ciphers, cipher_len) == NULL) + return; + + cipher = strtok_r(copy, ",", &rem); + + while (cipher && !found_obsolete_cipher) { + + for (int i = 0; i < 6; i++) { + if (strcmp(cipher, obsolete_ciphers[i]) == 0) { + found_obsolete_cipher = 1; + break; + } + } + + cipher = strtok_r(NULL, ",", &rem); + } + + if (found_obsolete_cipher) { + #ifdef SSH_DEBUG + printf("[SSH] [SSH obsolete cipher]\n"); + #endif + + NDPI_SET_BIT(flow->risk, (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER)); + } + + ndpi_free(copy); } - + /* ************************************************************************ */ static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { -- cgit v1.2.3 From 6719fa30f9cfda5fe9d60b84e7afb442a9ea3517 Mon Sep 17 00:00:00 2001 From: MrRadix Date: Fri, 24 Jul 2020 20:53:02 +0200 Subject: added other ssh implementations to check --- src/lib/protocols/ssh.c | 63 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 48 insertions(+), 15 deletions(-) diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 181f84317..f1f0e1503 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -71,25 +71,54 @@ static void ssh_analyze_signature_version(struct ndpi_detection_module_struct *n u_int8_t is_client_signature) { if (str_to_check == NULL) return; + + int i; + int matches; + int major = 0; + int minor = 0; + int patch = 0; + u_int8_t version_match = 0; + u_int8_t obsolete_ssh_version = 0; + + const char *ssh_servers_strings[] = { + "SSH-%*f-OpenSSH_%d.%d.%d", /* OpenSSH */ + "SSH-%*f-APACHE-SSHD-%d.%d.%d", /* Apache MINA SSHD */ + "SSH-%*f-FileZilla_%d.%d.%d", /* FileZilla SSH*/ + "SSH-%*f-paramiko_%d.%d.%d", /* Paramiko SSH */ + "SSH-%*f-dropbear_%d.%d", /* Dropbear SSH */ + NULL, + }; - int major = 0; - int minor = 0; - int patch = 0; - int obsolete_ssh_version = 0; + int versions_cutoff[][3] = { + /* maj,min,patch */ - if (sscanf(str_to_check, "SSH-%*f-OpenSSH_%d.%d.%d", &major, &minor, &patch) != 3) - return; + {7,0,0}, /* OpenSSH */ + {2,5,1}, /* Apache MINA SSHD */ + {3,40,0}, /* FileZilla SSH */ + {2,4,0}, /* Paramiko SSH */ + {2020,0,0} /* Dropbear SSH (leave patch field as 0)*/ - if ((major || minor || patch) == 0) return; + }; + + for (i = 0; ssh_servers_strings[i]; i++) { + matches = sscanf(str_to_check, ssh_servers_strings[i], &major, &minor, &patch); + + if (matches == 3 || matches == 2) { + version_match = 1; + break; + } + } + + if (!version_match) return; /* checking if is an old version */ - if (major < MAJOR_CUTOFF) obsolete_ssh_version = 1; + if (major < versions_cutoff[i][0]) obsolete_ssh_version = 1; - else if (major == MAJOR_CUTOFF) { - if (minor < MINOR_CUTOFF) obsolete_ssh_version = 1; + else if (major == versions_cutoff[i][0]) { + if (minor < versions_cutoff[i][1]) obsolete_ssh_version = 1; - else if (minor == MINOR_CUTOFF) - if (patch < PATCH_CUTOFF) obsolete_ssh_version = 1; + else if (minor == versions_cutoff[i][1]) + if (patch < versions_cutoff[i][2]) obsolete_ssh_version = 1; } if (obsolete_ssh_version) { @@ -110,18 +139,22 @@ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, char *rem; char *cipher; - int found_obsolete_cipher = 0; + u_int8_t found_obsolete_cipher = 0; - char *obsolete_ciphers[6] = { + const char *obsolete_ciphers[] = { "arcfour256", "arcfour128", "3des-cbc", "blowfish-cbc", "cast128-cbc", "arcfour", + NULL, }; char *copy = (char*)ndpi_calloc(cipher_len, sizeof(char)); + if (copy == NULL) { + return; + } if (strncpy(copy, ciphers, cipher_len) == NULL) return; @@ -130,7 +163,7 @@ static void ssh_analyse_cipher(struct ndpi_detection_module_struct *ndpi_struct, while (cipher && !found_obsolete_cipher) { - for (int i = 0; i < 6; i++) { + for (int i = 0; obsolete_ciphers[i]; i++) { if (strcmp(cipher, obsolete_ciphers[i]) == 0) { found_obsolete_cipher = 1; break; -- cgit v1.2.3