Project

General

Profile

Actions

Bug #2915

closed

Feature #2283: turn content modifiers into 'sticky buffers'

modernize ssh sticky buffers

Added by Victor Julien almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently we have

ssh_proto:
    Description: ssh_protocol sticky buffer
    Features: No option
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-proto
ssh.protoversion:
    Description: match SSH protocol version
    Features: none
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-protoversion
ssh_software:
    Description: ssh_software sticky buffer
    Features: No option
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-software
ssh.softwareversion:
    Description: match SSH software string
    Features: none
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-softwareversion

ssh.softwareversion and ssh.protoversion are legacy and scheduled for removal in #2377

The ssh_proto and ssh_software need the following updates:

1. mpm and content api v2
2. new default names: ssh.proto / ssh.software
3. existing names as 'alias'
4. set SIGMATCH_INFO_STICKY_BUFFER flag (see src/detect-http-client-body.c)

Actions #1

Updated by Victor Julien almost 5 years ago

  • Assignee changed from OISF Dev to Jeff Lucovsky
Actions #2

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF