/**
* \brief this function is used to add the parsed "id" option
* \brief into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param idstr pointer to the user provided "id" option
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
DetectSshSoftwareVersionData *ssh = NULL;
SigMatch *sm = NULL;
if (DetectSignatureSetAppProto(s, ALPROTO_SSH) != 0)
return -1;
ssh = DetectSshSoftwareVersionParse(str);
if (ssh == NULL)
goto error;
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
sm->ctx = (void *)ssh;
SigMatchAppendSMToList(s, sm, g_ssh_banner_list_id);
return 0;
error:
if (ssh != NULL)
DetectSshSoftwareVersionFree(ssh);
if (sm != NULL)
SCFree(sm);
return -1;
}
/**
* \test DetectSshSoftwareVersionTestParse03 is a test to make sure that we
* don't return a ssh_data with an empty value specified
*/
int DetectSshSoftwareVersionTestParse03 (void) {
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("");
if (ssh != NULL) {
DetectSshSoftwareVersionFree(ssh);
return 0;
}
return 1;
}
/**
* \test DetectSshSoftwareVersionTestParse02 is a test to make sure that we parse
* the software version correctly
*/
int DetectSshSoftwareVersionTestParse02 (void) {
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("\"SecureCRT-4.0\"");
if (ssh != NULL && strncmp((char *) ssh->software_ver, "SecureCRT-4.0", 13) == 0) {
DetectSshSoftwareVersionFree(ssh);
return 1;
}
return 0;
}
/**
* \test DetectSshSoftwareVersionTestParse01 is a test to make sure that we parse
* a software version correctly
*/
int DetectSshSoftwareVersionTestParse01 (void) {
DetectSshSoftwareVersionData *ssh = NULL;
ssh = DetectSshSoftwareVersionParse("PuTTY_1.0");
if (ssh != NULL && strncmp((char *) ssh->software_ver, "PuTTY_1.0", 9) == 0) {
DetectSshSoftwareVersionFree(ssh);
return 1;
}
return 0;
}
/**
* \brief This function is used to parse IPV4 ip_id passed via keyword: "id"
*
* \param idstr Pointer to the user provided id option
*
* \retval id_d pointer to DetectSshSoftwareVersionData on success
* \retval NULL on failure
*/
DetectSshSoftwareVersionData *DetectSshSoftwareVersionParse (char *str)
{
DetectSshSoftwareVersionData *ssh = NULL;
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
ret = pcre_exec(parse_regex, parse_regex_study, str, strlen(str), 0, 0,
ov, MAX_SUBSTRINGS);
if (ret < 1 || ret > 3) {
SCLogError(SC_ERR_PCRE_MATCH, "invalid ssh.softwareversion option");
goto error;
}
if (ret > 1) {
const char *str_ptr = NULL;
res = pcre_get_substring((char *)str, ov, MAX_SUBSTRINGS, 1, &str_ptr);
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
goto error;
}
/* We have a correct id option */
ssh = SCMalloc(sizeof(DetectSshSoftwareVersionData));
if (unlikely(ssh == NULL))
goto error;
ssh->software_ver = (uint8_t *)SCStrdup((char *)str_ptr);
if (ssh->software_ver == NULL) {
goto error;
}
pcre_free_substring(str_ptr);
ssh->len = strlen((char *)ssh->software_ver);
SCLogDebug("will look for ssh %s", ssh->software_ver);
}
return ssh;
error:
if (ssh != NULL)
DetectSshSoftwareVersionFree(ssh);
return NULL;
}
/**
* \brief this function is used to add the parsed "id" option
* \brief into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param idstr pointer to the user provided "id" option
*
* \retval 0 on Success
* \retval -1 on Failure
*/
static int DetectSshSoftwareVersionSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
{
DetectSshSoftwareVersionData *ssh = NULL;
SigMatch *sm = NULL;
ssh = DetectSshSoftwareVersionParse(str);
if (ssh == NULL)
goto error;
/* Okay so far so good, lets get this into a SigMatch
* and put it in the Signature. */
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
if (s->alproto != ALPROTO_UNKNOWN && s->alproto != ALPROTO_SSH) {
SCLogError(SC_ERR_CONFLICTING_RULE_KEYWORDS, "rule contains conflicting keywords.");
goto error;
}
sm->type = DETECT_AL_SSH_SOFTWAREVERSION;
sm->ctx = (void *)ssh;
s->flags |= SIG_FLAG_APPLAYER;
s->alproto = ALPROTO_SSH;
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
return 0;
error:
if (ssh != NULL)
DetectSshSoftwareVersionFree(ssh);
if (sm != NULL)
SCFree(sm);
return -1;
}
