Skip to content

Ssh frames 5734 v2#11372

Closed
catenacyber wants to merge 2 commits intoOISF:masterfrom
catenacyber:ssh-frames-5734-v2
Closed

Ssh frames 5734 v2#11372
catenacyber wants to merge 2 commits intoOISF:masterfrom
catenacyber:ssh-frames-5734-v2

Conversation

@catenacyber
Copy link
Contributor

@catenacyber catenacyber commented Jun 27, 2024

Link to ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/5734

Describe changes:

  • ssh: add frames support (for clear-text records after banner)
  • detect: run frames detection on packet disabling app-layer because next packets are encrypted

SV_BRANCH=OISF/suricata-verify#1932

#11340 with clear PR history

@catenacyber
ssh: frames support
8b0886e 
Ticket: 5734
@catenacyber
detect: run frames on pseudo flush packets
1b9474d 
for SSH packets that mark the end of plaintext
@catenacyber catenacyber mentioned this pull request Jun 27, 2024
Closed
@suricata-qa
Copy link

suricata-qa commented Jun 27, 2024

Information: QA ran without warnings.

Pipeline 21265

victorjulien
victorjulien reviewed Jul 1, 2024
View reviewed changes
rust/src/ssh/ssh.rs
while !input.is_empty() {
match parser::ssh_parse_record(input) {
Ok((rem, head)) => {
let _pdu = Frame::new(
Copy link
Member

@victorjulien victorjulien Jul 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would make sense to move this outside of Ok, as we can want the frames in malformed data as well. I suppose you would just open all 3 (RecordHdr with fixed len, the other two with -1 len), then set the final length on Ok.

In general, I am missing an explanation of the frames in the commit message.

Also should add docs for the frames, cf https://docs.suricata.io/en/latest/rules/smtp-keywords.html#frames

Copy link
Contributor Author

@catenacyber catenacyber Jul 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would make sense to move this outside of Ok, as we can want the frames in malformed data as well. I suppose you would just open all 3 (RecordHdr with fixed len, the other two with -1 len), then set the final length on Ok.

I am not sure it makes sense for SSH :

  • malformed data can only be "negative length" for SSH record data (in SSH, there is the anti pattern that the length includes the fixed header length), and in this case, the flow is placed into error. So it is then impossible to "set the final length on Ok."
  • for incomplete data, it is already handled in one way

Should I spend some time again to try to make a SV test that shows a different behavior with -1 len ?

In general, I am missing an explanation of the frames in the commit message.

Adding something

Also should add docs for the frames

I thought frames were automatically documented, by some rustdocs magic with // app-layer-frame-documentation tag start: FrameType enum
cc @jasonish ?

Add adding something like smtp

Copy link
Member

@jasonish jasonish Jul 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought frames were automatically documented, by some rustdocs magic with // app-layer-frame-documentation tag start: FrameType enum
cc @jasonish ?

Am not familiar with anything like this.

Copy link
Contributor Author

@catenacyber catenacyber Jul 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See b846269

I had interpreted this wrongly

@catenacyber catenacyber mentioned this pull request Jul 4, 2024
Closed
@catenacyber
Copy link
Contributor Author

catenacyber commented Jul 4, 2024

Continued in #11415

@catenacyber catenacyber closed this Jul 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasonish jasonish jasonish left review comments

@victorjulien victorjulien victorjulien left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@catenacyber @suricata-qa @jasonish @victorjulien