Project

General

Profile

Actions
Copy link

Task #3485

closed

Research: check SSH parsing end of banner

Added by Philippe Antoine about 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Follows conversation on https://github.com/OISF/suricata/pull/4546#discussion_r378704002

I am not sure that SSH parser should accept single CR as end of banner, but that is what is being done by the C parser.
This is enforced by the unit tests :
https://github.com/OISF/suricata/blob/master/src/app-layer-ssh.c#L2222

This is something to test against real implementations.

OpenSSH does not accept CR as end of banner :
https://github.com/openssh/openssh-portable/blob/master/ssh_api.c#L345
It only accepts LF and CRLF

Related issues 1 (0 open1 closed)

Related to Suricata - Feature #3445: Convert SSH parser to RustClosedPhilippe AntoineActions
Actions
Copy link
 #1

Updated by Victor Julien about 4 years ago

  • Tracker changed from Bug to Task
  • Subject changed from Check SSH parsing end of banner to Research: check SSH parsing end of banner
Actions
Copy link
 #2

Updated by Philippe Antoine about 4 years ago

Wa can also test for 0 or 1-length SSH records (not containing message code) cf https://github.com/OISF/suricata/pull/4546#discussion_r378704320

Actions
Copy link
 #3

Updated by Victor Julien almost 4 years ago

  • Parent task deleted (#3445)
Actions
Copy link
 #4

Updated by Victor Julien almost 4 years ago

Actions
Copy link
 #5

Updated by Philippe Antoine over 2 years ago

  • Status changed from New to Closed

Closing until a user wants this...

Actions
Copy link

Also available in: Atom PDF