Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ssh frames 5734 v2 #11372

Closed
wants to merge 2 commits into from
Closed

Ssh frames 5734 v2 #11372

wants to merge 2 commits into from

Conversation

catenacyber
Copy link
Contributor

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5734

Describe changes:

  • ssh: add frames support (for clear-text records after banner)
  • detect: run frames detection on packet disabling app-layer because next packets are encrypted

SV_BRANCH=OISF/suricata-verify#1932

#11340 with clear PR history

@catenacyber
ssh: frames support
8b0886e 
Ticket: 5734
@catenacyber
detect: run frames on pseudo flush packets
1b9474d 
for SSH packets that mark the end of plaintext
@catenacyber catenacyber mentioned this pull request Jun 27, 2024
Closed
@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 21265

victorjulien
victorjulien reviewed Jul 1, 2024
View reviewed changes
rust/src/ssh/ssh.rs
@@ -149,6 +159,30 @@ impl SSHState {
while !input.is_empty() {
match parser::ssh_parse_record(input) {
Ok((rem, head)) => {
let _pdu = Frame::new(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would make sense to move this outside of Ok, as we can want the frames in malformed data as well. I suppose you would just open all 3 (RecordHdr with fixed len, the other two with -1 len), then set the final length on Ok.

In general, I am missing an explanation of the frames in the commit message.

Also should add docs for the frames, cf https://docs.suricata.io/en/latest/rules/smtp-keywords.html#frames

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would make sense to move this outside of Ok, as we can want the frames in malformed data as well. I suppose you would just open all 3 (RecordHdr with fixed len, the other two with -1 len), then set the final length on Ok.

I am not sure it makes sense for SSH :

  • malformed data can only be "negative length" for SSH record data (in SSH, there is the anti pattern that the length includes the fixed header length), and in this case, the flow is placed into error. So it is then impossible to "set the final length on Ok."
  • for incomplete data, it is already handled in one way

Should I spend some time again to try to make a SV test that shows a different behavior with -1 len ?

In general, I am missing an explanation of the frames in the commit message.

Adding something

Also should add docs for the frames

I thought frames were automatically documented, by some rustdocs magic with // app-layer-frame-documentation tag start: FrameType enum
cc @jasonish ?

Add adding something like smtp

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought frames were automatically documented, by some rustdocs magic with // app-layer-frame-documentation tag start: FrameType enum
cc @jasonish ?

Am not familiar with anything like this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See b846269

I had interpreted this wrongly

@catenacyber catenacyber mentioned this pull request Jul 4, 2024
Closed
@catenacyber
Copy link
Contributor Author

Continued in #11415

@catenacyber catenacyber closed this Jul 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien left review comments

@jasonish jasonish jasonish left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@catenacyber @suricata-qa @jasonish @victorjulien