Project

General

Profile

Actions
Copy link

Bug #4563

closed

Rules based on SSH banner-related keywords only match on acked data

Added by Johan Mazel over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
7.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport, Needs backport to 5.0

Description

I noticed that rules based on SSH banner-related keywords only matched if the data is acknowledged by both client and server.
SSH fields used in the rule are however always present in the eve.json files.

I attached:
  • some pcaps with minimal examples with a TCP three-way handshake, incomplete or complete SSH banner exchange and a final RST from the client.
  • a file with some rules.
Here is the test case descriptions, the expected behavior, and the observed behavior:
  • Case 1 - SB: only server sends its banner - rules match - rules do not match.
  • Case 2 - SBCA: server sends its banner and client acks it - rules match - rules do not match.
  • Case 3 - SBCB: server sends its banner and client sends its banner - rules match - rules do not match.
  • Case 4 - SBCBSA: server sends its banner, client sends its banner, and server server the client's banner - rules match - rules match.

Files

Download all files
custom_SSH_SBCA.pcap (594 Bytes) custom_SSH_SBCA.pcap Case 2 Johan Mazel, 07/26/2021 12:50 PM
custom_SSH_SB.pcap (524 Bytes) custom_SSH_SB.pcap Case 1 Johan Mazel, 07/26/2021 12:50 PM
custom_SSH_SBCBSA.pcap (784 Bytes) custom_SSH_SBCBSA.pcap Case 4 Johan Mazel, 07/26/2021 12:50 PM
custom_SSH_SBCB.pcap (714 Bytes) custom_SSH_SBCB.pcap Case 3 Johan Mazel, 07/26/2021 12:50 PM
suricata_ssh.rules (534 Bytes) suricata_ssh.rules SSH rules Johan Mazel, 07/26/2021 12:51 PM

Subtasks 1 (0 open1 closed)

Bug #4903: Add test for SSH bannerClosedModupe FalodunActions

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #4636: Rules based on SSH banner-related keywords only match on acked dataClosedShivani BhardwajActions
Copied to Suricata - Bug #4922: Rules based on SSH banner-related keywords only match on acked dataRejectedJeff LucovskyActions
Actions
Copy link
 #1

Updated by Victor Julien over 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Philippe Antoine
  • Target version set to 7.0.0-beta1
  • Private changed from No to Yes
  • Label Needs backport added
Actions
Copy link
 #2

Updated by Johan Mazel over 3 years ago

There is a typo on case 4: "server server the client's banner" should be "server acks the client's banner".

Actions
Copy link
 #3

Updated by Philippe Antoine over 3 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Philippe Antoine to Shivani Bhardwaj

https://github.com/OISF/suricata/pull/6302 + https://github.com/OISF/suricata/pull/6294/commits/90a6d2755e45527f6bcfb708ff06c5c8336792d2

Need to update S-V test as 

diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml
index 5c4b908..c138be0 100644
--- a/tests/ssh-banner-only/test.yaml
+++ b/tests/ssh-banner-only/test.yaml
@@ -20,4 +20,4 @@ checks:
       count: 1
       match:
         event_type: alert
-        alert.signature_id: 1
+        alert.signature_id: 2

Actions
Copy link
 #4

Updated by Jeff Lucovsky over 3 years ago

  • Copied to Bug #4636: Rules based on SSH banner-related keywords only match on acked data added
Actions
Copy link
 #5

Updated by Shivani Bhardwaj about 3 years ago

  • Private changed from Yes to No
Actions
Copy link
 #6

Updated by Shivani Bhardwaj about 3 years ago

Closed by: https://github.com/OISF/suricata/pull/6584
Subtask of test needs to be completed for the status to be changed to "Closed" here.

Actions
Copy link
 #7

Updated by Victor Julien almost 3 years ago

  • Label Needs backport to 5.0 added
Actions
Copy link
 #9

Updated by Jeff Lucovsky almost 3 years ago

  • Copied to Bug #4922: Rules based on SSH banner-related keywords only match on acked data added
Actions
Copy link
 #10

Updated by Shivani Bhardwaj almost 3 years ago

  • Status changed from In Review to Closed
Actions
Copy link

Also available in: Atom PDF