00001 //--------------------------------------------------------------------------
00002 // Copyright (C) 2015-2017 Cisco and/or its affiliates. All rights reserved.
00003 //
00004 // This program is free software; you can redistribute it and/or modify it
00005 // under the terms of the GNU General Public License Version 2 as published
00006 // by the Free Software Foundation. You may not use, modify or distribute
00007 // this program under any other version of the GNU General Public License.
00008 //
00009 // This program is distributed in the hope that it will be useful, but
00010 // WITHOUT ANY WARRANTY; without even the implied warranty of
00011 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
00012 // General Public License for more details.
00013 //
00014 // You should have received a copy of the GNU General Public License along
00015 // with this program; if not, write to the Free Software Foundation, Inc.,
00016 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
00017 //--------------------------------------------------------------------------
00018
00019 // ssh_module.cc author Bhagyashree Bantwal <bbantwal@cisco.com>
00020
00021 #ifdef HAVE_CONFIG_H
00022 #include "config.h"
00023 #endif
00024
00025 #include "ssh_module.h"
00026
00027 #include <cassert>
00028
00029 using namespace std;
00030
00031 #define SSH_EVENT_RESPOVERFLOW_STR \
00032 "challenge-response overflow exploit"
00033 #define SSH_EVENT_CRC32_STR \
00034 "SSH1 CRC32 exploit"
00035 #define SSH_EVENT_SECURECRT_STR \
00036 "server version string overflow"
00037 #define SSH_EVENT_WRONGDIR_STR \
00038 "bad message direction"
00039 #define SSH_PAYLOAD_SIZE_STR \
00040 "payload size incorrect for the given payload"
00041 #define SSH_VERSION_STR \
00042 "failed to detect SSH version string"
00043
00044 static const Parameter s_params[] =
00045 {
00046 { "max_encrypted_packets", Parameter::PT_INT, "0:65535", "25",
00047 "ignore session after this many encrypted packets" },
00048
00049 { "max_client_bytes", Parameter::PT_INT, "0:65535", "19600",
00050 "number of unanswered bytes before alerting on challenge-response overflow or CRC32" },
00051
00052 { "max_server_version_len", Parameter::PT_INT, "0:255", "80",
00053 "limit before alerting on secure CRT server version string overflow" },
00054
00055 { nullptr, Parameter::PT_MAX, nullptr, nullptr, nullptr }
00056 };
00057
00058 static const RuleMap ssh_rules[] =
00059 {
00060 { SSH_EVENT_RESPOVERFLOW, SSH_EVENT_RESPOVERFLOW_STR },
00061 { SSH_EVENT_CRC32, SSH_EVENT_CRC32_STR },
00062 { SSH_EVENT_SECURECRT, SSH_EVENT_SECURECRT_STR },
00063 { SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR },
00064 { SSH_EVENT_PAYLOAD_SIZE, SSH_PAYLOAD_SIZE_STR },
00065 { SSH_EVENT_VERSION, SSH_VERSION_STR },
00066
00067 { 0, nullptr }
00068 };
00069
00070 const PegInfo ssh_pegs[] =
00071 {
00072 { CountType::SUM, "packets", "total packets" },
00073 { CountType::NOW, "concurrent_sessions", "total concurrent ssh sessions" },
00074 { CountType::MAX, "max_concurrent_sessions", "maximum concurrent ssh sessions" },
00075 { CountType::END, nullptr, nullptr }
00076 };
00077
00078 //-------------------------------------------------------------------------
00079 // ssh module
00080 //-------------------------------------------------------------------------
00081
00082 SshModule::SshModule() : Module(SSH_NAME, SSH_HELP, s_params)
00083 {
00084 conf = nullptr;
00085 }
00086
00087 SshModule::~SshModule()
00088 {
00089 if ( conf )
00090 delete conf;
00091 }
00092
00093 const RuleMap* SshModule::get_rules() const
00094 { return ssh_rules; }
00095
00096 const PegInfo* SshModule::get_pegs() const
00097 { return ssh_pegs; }
00098
00099 PegCount* SshModule::get_counts() const
00100 { return (PegCount*)&sshstats; }
00101
00102 ProfileStats* SshModule::get_profile() const
00103 { return &sshPerfStats; }
00104
00105 bool SshModule::set(const char*, Value& v, SnortConfig*)
00106 {
00107 if ( v.is("max_encrypted_packets") )
00108 conf->MaxEncryptedPackets = v.get_long();
00109
00110 else if ( v.is("max_client_bytes") )
00111 conf->MaxClientBytes = v.get_long();
00112
00113 else if ( v.is("max_server_version_len") )
00114 conf->MaxServerVersionLen = v.get_long();
00115
00116 else
00117 return false;
00118
00119 return true;
00120 }
00121
00122 SSH_PROTO_CONF* SshModule::get_data()
00123 {
00124 SSH_PROTO_CONF* tmp = conf;
00125 conf = nullptr;
00126 return tmp;
00127 }
00128
00129 bool SshModule::begin(const char*, int, SnortConfig*)
00130 {
00131 assert(!conf);
00132 conf = new SSH_PROTO_CONF;
00133 return true;
00134 }
00135
END OF CODE