Project

General

Profile

Actions

Bug #4563

open

Rules based on SSH banner-related keywords only match on acked data

Added by Johan Mazel 5 months ago. Updated 2 months ago.

Status:
In Review
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport

Description

I noticed that rules based on SSH banner-related keywords only matched if the data is acknowledged by both client and server.
SSH fields used in the rule are however always present in the eve.json files.

I attached:
  • some pcaps with minimal examples with a TCP three-way handshake, incomplete or complete SSH banner exchange and a final RST from the client.
  • a file with some rules.
Here is the test case descriptions, the expected behavior, and the observed behavior:
  • Case 1 - SB: only server sends its banner - rules match - rules do not match.
  • Case 2 - SBCA: server sends its banner and client acks it - rules match - rules do not match.
  • Case 3 - SBCB: server sends its banner and client sends its banner - rules match - rules do not match.
  • Case 4 - SBCBSA: server sends its banner, client sends its banner, and server server the client's banner - rules match - rules match.

Files

custom_SSH_SBCA.pcap (594 Bytes) custom_SSH_SBCA.pcap Case 2 Johan Mazel, 07/26/2021 12:50 PM
custom_SSH_SB.pcap (524 Bytes) custom_SSH_SB.pcap Case 1 Johan Mazel, 07/26/2021 12:50 PM
custom_SSH_SBCBSA.pcap (784 Bytes) custom_SSH_SBCBSA.pcap Case 4 Johan Mazel, 07/26/2021 12:50 PM
custom_SSH_SBCB.pcap (714 Bytes) custom_SSH_SBCB.pcap Case 3 Johan Mazel, 07/26/2021 12:50 PM
suricata_ssh.rules (534 Bytes) suricata_ssh.rules SSH rules Johan Mazel, 07/26/2021 12:51 PM

Related issues

Copied to Bug #4636: Rules based on SSH banner-related keywords only match on acked dataClosedShivani BhardwajActions
Actions #1

Updated by Victor Julien 4 months ago

  • Status changed from New to Assigned
  • Assignee set to Philippe Antoine
  • Target version set to 7.0rc1
  • Private changed from No to Yes
  • Label Needs backport added
Actions #2

Updated by Johan Mazel 4 months ago

There is a typo on case 4: "server server the client's banner" should be "server acks the client's banner".

Actions #3

Updated by Philippe Antoine 4 months ago

  • Status changed from Assigned to In Review
  • Assignee changed from Philippe Antoine to Shivani Bhardwaj

https://github.com/OISF/suricata/pull/6302 + https://github.com/OISF/suricata/pull/6294/commits/90a6d2755e45527f6bcfb708ff06c5c8336792d2

Need to update S-V test as

diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml
index 5c4b908..c138be0 100644
--- a/tests/ssh-banner-only/test.yaml
+++ b/tests/ssh-banner-only/test.yaml
@@ -20,4 +20,4 @@ checks:
       count: 1
       match:
         event_type: alert
-        alert.signature_id: 1
+        alert.signature_id: 2

Actions #4

Updated by Jeff Lucovsky 4 months ago

  • Copied to Bug #4636: Rules based on SSH banner-related keywords only match on acked data added
Actions #5

Updated by Shivani Bhardwaj 2 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF