diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/ssh/spp_ssh.c ss-snort-2.7.0.1-ssh/src/dynamic-preprocessors/ssh/spp_ssh.c --- snort-2.7.0.1/src/dynamic-preprocessors/ssh/spp_ssh.c 2007-07-03 14:41:42.000000000 -0600 +++ ss-snort-2.7.0.1-ssh/src/dynamic-preprocessors/ssh/spp_ssh.c 2007-09-11 10:26:00.000000000 -0600 @@ -34,6 +34,10 @@ * */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + #ifdef HAVE_CONFIG_H #include "config.h" #endif /* HAVE_CONFIG_H */ @@ -300,6 +304,38 @@ { ssh_config.EnabledAlerts &= ~SSH_ALERT_UNRECOGNIZED; } + else if( !strcmp( cur_tokenp, DROP_GOBBLES )) + { + ssh_config.drop_flags |= SSH_DROP_GOBBLES; + } + else if( !strcmp( cur_tokenp, DROP_CRC32 )) + { + ssh_config.drop_flags |= SSH_DROP_CRC32; + } + else if( !strcmp( cur_tokenp, DROP_SECURECRT )) + { + ssh_config.drop_flags |= SSH_DROP_SECURECRT; + } + else if( !strcmp( cur_tokenp, DROP_PROTOMISMATCH )) + { + ssh_config.drop_flags |= SSH_DROP_PROTOMISMATCH; + } + else if( !strcmp( cur_tokenp, DROP_WRONGDIR )) + { + ssh_config.drop_flags |= SSH_DROP_WRONGDIR; + } + else if( !strcmp( cur_tokenp, DROP_PAYLOAD_SIZE )) + { + ssh_config.drop_flags |= SSH_DROP_PAYSIZE; + } + else if( !strcmp( cur_tokenp, DROP_VERSION )) + { + ssh_config.drop_flags |= SSH_DROP_UNRECOGNIZED; + } + else if( !strcmp( cur_tokenp, DROP_ALL )) + { + ssh_config.drop_flags |= SSH_DROP_ALL; + } else { DynamicPreprocessorFatalMessage("Invalid argument: %s\n", cur_tokenp); @@ -332,25 +368,80 @@ _dpd.logMsg(" GOBBLES Alert: %s\n", ssh_config.EnabledAlerts & SSH_ALERT_GOBBLES ? "ENABLED" : "DISABLED" ); + /** StillSecure **/ + if(ssh_config.EnabledAlerts & SSH_ALERT_GOBBLES) + { + _dpd.logMsg(" GOBBLES Drop: %s\n", + ssh_config.drop_flags & SSH_DROP_GOBBLES ? + "ENABLED" : "DISABLED"); + } + /** End StillSecure **/ _dpd.logMsg(" SSH1 CRC32 Alert: %s\n", ssh_config.EnabledAlerts & SSH_ALERT_CRC32 ? "ENABLED" : "DISABLED" ); - + /** StillSecure **/ + if(ssh_config.EnabledAlerts & SSH_ALERT_CRC32) + { + _dpd.logMsg(" SSH1 CRC32 Drop: %s\n", + ssh_config.drop_flags & SSH_DROP_CRC32 ? + "ENABLED" : "DISABLED"); + } + /** End StillSecure **/ _dpd.logMsg(" Server Version String Overflow Alert: %s\n", ssh_config.EnabledAlerts & SSH_ALERT_SECURECRT ? "ENABLED" : "DISABLED" ); + /** StillSecure **/ + if(ssh_config.EnabledAlerts & SSH_ALERT_SECURECRT) + { + _dpd.logMsg(" Server Version String Overflow Drop: %s\n", + ssh_config.drop_flags & SSH_DROP_SECURECRT ? + "ENABLED" : "DISABLED"); + } + /** End StillSecure **/ _dpd.logMsg(" Protocol Mismatch Alert: %s\n", ssh_config.EnabledAlerts & SSH_ALERT_PROTOMISMATCH? "ENABLED" : "DISABLED" ); + /** StillSecure **/ + if(ssh_config.EnabledAlerts & SSH_ALERT_PROTOMISMATCH) + { + _dpd.logMsg(" Protocol Mismatch Drop: %s\n", + ssh_config.drop_flags & SSH_DROP_PROTOMISMATCH ? + "ENABLED" : "DISABLED"); + } + /** End StillSecure **/ _dpd.logMsg(" Bad Message Direction Alert: %s\n", ssh_config.EnabledAlerts & SSH_ALERT_WRONGDIR ? "ENABLED" : "DISABLED" ); - _dpd.logMsg(" Bad Payload Size Alert: %s\n", + /** StillSecure **/ + if(ssh_config.EnabledAlerts & SSH_ALERT_WRONGDIR) + { + _dpd.logMsg(" Bad Message Direction Drop: %s\n", + ssh_config.drop_flags & SSH_DROP_WRONGDIR ? + "ENABLED" : "DISABLED"); + } + /** End StillSecure **/ + _dpd.logMsg(" Bad Payload Size Alert: %s\n", ssh_config.EnabledAlerts & SSH_ALERT_PAYSIZE ? - "ENABLED" : "DISABLED" ); + "ENABLED" : "DISABLED" ); + /** StillSecure **/ + if(ssh_config.EnabledAlerts & SSH_ALERT_PAYSIZE) + { + _dpd.logMsg(" Bad Payload Size Drop: %s\n", + ssh_config.drop_flags & SSH_DROP_PAYSIZE ? + "ENABLED" : "DISABLED"); + } + /** End StillSecure **/ _dpd.logMsg(" Unrecognized Version Alert: %s\n", ssh_config.EnabledAlerts & SSH_ALERT_UNRECOGNIZED ? "ENABLED" : "DISABLED" ); + /** StillSecure **/ + if(ssh_config.EnabledAlerts & SSH_ALERT_UNRECOGNIZED) + { + _dpd.logMsg(" Unrecognized Version Drop: %s\n", + ssh_config.drop_flags & SSH_DROP_UNRECOGNIZED ? + "ENABLED" : "DISABLED"); + } + /** End StillSecure **/ _dpd.logMsg(" Max Encrypted Packets: %d %s \n", ssh_config.MaxEncryptedPackets, ssh_config.MaxEncryptedPackets @@ -529,6 +620,10 @@ packetp->stream_session_ptr, packetp, SSN_DIR_BOTH, -1, 0 ); + /** StillSecure **/ + if( (ssh_config.drop_flags & SSH_DROP_CRC32) && _dpd.inlineMode() ) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } } else @@ -541,6 +636,10 @@ packetp->stream_session_ptr, packetp, SSN_DIR_BOTH, -1, 0 ); + /** StillSecure **/ + if( (ssh_config.drop_flags & SSH_DROP_GOBBLES) && _dpd.inlineMode() ) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } } } @@ -727,6 +826,10 @@ (SSHCheckStrlen(&version_stringp[6], SSH_MAX_PROTOVERS_STRING-6))) { ALERT(SSH_EVENT_SECURECRT, SSH_EVENT_SECURECRT_STR); + /** StillSecure **/ + if( (ssh_config.drop_flags & SSH_DROP_SECURECRT) && _dpd.inlineMode() ) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } } else if ( packetp->payload_size >= 6 && @@ -743,6 +846,10 @@ SSH_ALERT_PROTOMISMATCH )) { ALERT(SSH_EVENT_PROTOMISMATCH, SSH_EVENT_PROTOMISMATCH_STR); + /** StillSecure **/ + if( (ssh_config.drop_flags & SSH_DROP_GOBBLES) && _dpd.inlineMode() ) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } return SSH_FAILURE; @@ -798,9 +905,13 @@ */ if ( packetp->payload_size < 4 ) { - if(ssh_config.EnabledAlerts & SSH_ALERT_PAYSIZE) + if((ssh_config.EnabledAlerts & SSH_ALERT_PAYSIZE) && _dpd.inlineMode()) { ALERT(SSH_EVENT_PAYLOAD_SIZE, SSH_PAYLOAD_SIZE_STR); + /** StillSecure **/ + if(ssh_config.drop_flags & SSH_DROP_PAYSIZE) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } return SSH_FAILURE; @@ -819,6 +930,10 @@ if(ssh_config.EnabledAlerts & SSH_ALERT_PAYSIZE) { ALERT(SSH_EVENT_PAYLOAD_SIZE, SSH_PAYLOAD_SIZE_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_PAYSIZE) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } return SSH_FAILURE; @@ -835,6 +950,10 @@ if(ssh_config.EnabledAlerts & SSH_ALERT_PAYSIZE) { ALERT(SSH_EVENT_PAYLOAD_SIZE, SSH_PAYLOAD_SIZE_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_PAYSIZE) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } return SSH_FAILURE; @@ -856,6 +975,10 @@ { /* Server msg not from server. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_WRONGDIR) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } break; case SSH_MSG_V1_CMSG_SESSION_KEY: @@ -869,6 +992,10 @@ { /* Client msg not from client. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_GOBBLES) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } break; default: @@ -926,6 +1053,10 @@ { /* Unrecognized version. */ ALERT(SSH_EVENT_VERSION, SSH_VERSION_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_UNRECOGNIZED) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } return SSH_FAILURE; @@ -969,6 +1100,10 @@ { /* Invalid packet length. */ ALERT(SSH_EVENT_PAYLOAD_SIZE, SSH_PAYLOAD_SIZE_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_PAYSIZE) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } return SSH_FAILURE; @@ -987,6 +1122,10 @@ { /* Client msg from server. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_WRONGDIR) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } break; case SSH_MSG_KEXDH_REPLY: @@ -1005,6 +1144,10 @@ { /* Server msg from client. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_WRONGDIR) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } break; case SSH_MSG_KEXDH_GEX_REQ: @@ -1018,6 +1161,10 @@ { /* Server msg from client. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_WRONGDIR) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } break; case SSH_MSG_KEXDH_GEX_GRP: @@ -1031,6 +1178,10 @@ { /* Client msg from server. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_WRONGDIR) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } break; case SSH_MSG_KEXDH_GEX_INIT: @@ -1044,6 +1195,10 @@ { /* Server msg from client. */ ALERT(SSH_EVENT_WRONGDIR, SSH_EVENT_WRONGDIR_STR); + /** StillSecure **/ + if((ssh_config.drop_flags & SSH_DROP_WRONGDIR) && _dpd.inlineMode()) + _dpd.inlineDrop(packetp); + /** End StillSecure **/ } break; case SSH_MSG_NEWKEYS: diff -Naur snort-2.7.0.1/src/dynamic-preprocessors/ssh/spp_ssh.h ss-snort-2.7.0.1-ssh/src/dynamic-preprocessors/ssh/spp_ssh.h --- snort-2.7.0.1/src/dynamic-preprocessors/ssh/spp_ssh.h 2007-07-03 14:41:42.000000000 -0600 +++ ss-snort-2.7.0.1-ssh/src/dynamic-preprocessors/ssh/spp_ssh.h 2007-09-11 10:26:09.000000000 -0600 @@ -26,6 +26,10 @@ * Author: Chris Sherwin */ + /* Copyright © 2007 Latis Networks, Inc. ((d.b.a. StillSecure) + applies to marked preprocessor drops */ + + #ifndef SPP_SSH_H #define SPP_SSH_H @@ -91,6 +95,8 @@ u_int16_t EnabledAlerts; // SSHPortNode* PortList; char ports[MAX_PORTS/8]; + //StillSecure + u_int16_t drop_flags; } SSHConfig; @@ -260,6 +266,33 @@ #define SSH_PAYLOAD_SIZE_STR "(spp_ssh) Payload size incorrect for the given payload" #define SSH_VERSION_STR "(spp_ssh) Failed to detect SSH version string" +/** StillSecure **/ +/* + * SSH Drop keywords + */ +#define DROP_GOBBLES "drop_gobbles" +#define DROP_CRC32 "drop_ssh1crc32" +#define DROP_SECURECRT "drop_srvoverflow" +#define DROP_PROTOMISMATCH "drop_protomismatch" +#define DROP_WRONGDIR "drop_badmsgdir" +#define DROP_PAYLOAD_SIZE "drop_paysize" +#define DROP_VERSION "drop_recognition" +#define DROP_ALL "drop_all" + +/* + * SSH Drop Masks + */ +#define SSH_DROP_GOBBLES 0x00000001 +#define SSH_DROP_CRC32 0x00000002 +#define SSH_DROP_SECURECRT 0x00000004 +#define SSH_DROP_PROTOMISMATCH 0x00000008 +#define SSH_DROP_WRONGDIR 0x00000010 +#define SSH_DROP_PAYSIZE 0x00000020 +#define SSH_DROP_UNRECOGNIZED 0x00000040 +#define SSH_DROP_ALL 0x000000FF +/** End StillSecure **/ + + /* Prototypes for public interface */ extern void SetupSSH(void);