/* $Id *//*** Copyright (C) 2005 Sourcefire, Inc.****** This program is free software; you can redistribute it and/or modify** it under the terms of the GNU General Public License Version 2 as** published by the Free Software Foundation.  You may not use, modify or** distribute this program under any other version of the GNU General** Public License.**** This program is distributed in the hope that it will be useful,** but WITHOUT ANY WARRANTY; without even the implied warranty of** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the** GNU General Public License for more details.**** You should have received a copy of the GNU General Public License** along with this program; if not, write to the Free Software** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.*//* * spp_ssh.h: Definitions, structs, function prototype(s) for *		the SSH preprocessor. * Author: Chris Sherwin */#ifndef SPP_SSH_H#define SPP_SSH_H#define MAX_PORTS 65536/* * Default SSH port */#define SSH_PORT	22/*  * Maximum length of a valid SSH proto version string, in bytes. */#define SSH_MAX_PROTOVERS_STRING	40/* * Boolean values. */#define SSH_TRUE	(1)#define SSH_FALSE	(0)/* * Error codes. */#define SSH_SUCCESS	(1)#define SSH_FAILURE	(0)/* * Default values for configurable parameters. */#define SSH_DEFAULT_MAX_ENC_PKTS	25#define SSH_DEFAULT_MAX_CLIENT_BYTES	19600/* * One of these structures is kept for each configured  * server port. */typedef struct _sshPortlistNode{	u_int16_t server_port;	struct _sshPortlistNode* nextp;} SSHPortNode;/* * Global SSH preprocessor configuration. * * AutodetectEnabled:	Whether or not to apply auto-detection of SSH *				to ports other than those configured. * MaxEncryptedPackets: Maximum number of encrypted packets examined per *				session. * MaxClientBytes:	Maximum bytes of encrypted data that can be *				sent by client without a server response. * DisableRules: 	Disable rule processing for SSH traffic. * EnabledAlerts: 	Bit vector describing which alerts are enabled. */typedef struct _sshConfig{	u_int8_t  AutodetectEnabled;	u_int16_t MaxEncryptedPackets;	u_int16_t MaxClientBytes;	u_int16_t DisableRules;	u_int16_t EnabledAlerts;//	SSHPortNode* PortList;    char      ports[MAX_PORTS/8];} SSHConfig;/* * Per-session data block containing current state * of the SSH preprocessor for the session. *  * version:		Version of SSH detected for this session.  * num_enc_pkts: 	Number of encrypted packets seen on this session. * num_client_bytes:    Number of bytes of encrypted data sent by client,  *				without a server response. * state_flags:		Bit vector describing the current state of the  * 				session. */typedef struct _sshData{	u_int8_t  version;	u_int16_t num_enc_pkts;	u_int16_t num_client_bytes;	u_int32_t state_flags;} SSHData;/* * Session state flags for SSHData::state_flags */#define SSH_FLG_CLEAR			(0x0)#define SSH_FLG_CLIENT_IDSTRING_SEEN	(0x1)#define SSH_FLG_SERV_IDSTRING_SEEN	(0x2)#define SSH_FLG_SERV_PKEY_SEEN		(0x4)#define SSH_FLG_CLIENT_SKEY_SEEN	(0x8)#define SSH_FLG_CLIENT_KEXINIT_SEEN	(0x10)#define SSH_FLG_SERV_KEXINIT_SEEN	(0x20) #define SSH_FLG_KEXDH_INIT_SEEN		(0x40)#define SSH_FLG_KEXDH_REPLY_SEEN	(0x80)#define SSH_FLG_GEX_REQ_SEEN		(0x100)#define SSH_FLG_GEX_GRP_SEEN		(0x200)#define SSH_FLG_GEX_INIT_SEEN		(0x400)#define SSH_FLG_GEX_REPLY_SEEN		(0x800)#define SSH_FLG_NEWKEYS_SEEN		(0x1000)#define SSH_FLG_SESS_ENCRYPTED		(0x2000)#define SSH_FLG_GOBBLES_ALERTED		(0x4000)#define SSH_FLG_CRC32_ALERTED		(0x8000)/* * Some convenient combinations of state flags. */#define SSH_FLG_BOTH_IDSTRING_SEEN	(SSH_FLG_CLIENT_IDSTRING_SEEN |  \					 SSH_FLG_SERV_IDSTRING_SEEN )#define SSH_FLG_V1_KEYEXCH_DONE		(SSH_FLG_SERV_PKEY_SEEN | \					 SSH_FLG_CLIENT_SKEY_SEEN )#define SSH_FLG_V2_KEXINIT_DONE		(SSH_FLG_CLIENT_KEXINIT_SEEN | \					 SSH_FLG_SERV_KEXINIT_SEEN )#define SSH_FLG_V2_DHOLD_DONE		(SSH_FLG_KEXDH_INIT_SEEN | \					 SSH_FLG_KEXDH_REPLY_SEEN | \					 SSH_FLG_NEWKEYS_SEEN )#define SSH_FLG_V2_DHNEW_DONE		(SSH_FLG_GEX_REQ_SEEN | \					 SSH_FLG_GEX_GRP_SEEN | \					 SSH_FLG_GEX_INIT_SEEN | \					 SSH_FLG_GEX_REPLY_SEEN | \					 SSH_FLG_NEWKEYS_SEEN )/* * SSH version values for SSHData::version */#define SSH_VERSION_UNKNOWN	(0x0)#define SSH_VERSION_1		(0x1)#define SSH_VERSION_2		(0x2)/* * Length of SSH2 header, in bytes. */#define SSH2_HEADERLEN		(5)/* * SSH2 binary packet struct. * * packet_length: Length of packet in bytes not including *		  this field or the mesg auth code (mac) * padding_length: Length of padding section. * packet_data:    Variable length packet payload + padding + MAC. */typedef struct _ssh2Packet{	u_int32_t packet_length;	u_int8_t  padding_length;	char 	  packet_data[1];} SSH2Packet;/*  * SSH v1 message types (of interest)  */#define SSH_MSG_V1_SMSG_PUBLIC_KEY 	2#define SSH_MSG_V1_CMSG_SESSION_KEY	3/* * SSH v2 message types (of interest) */#define SSH_MSG_KEXINIT		20	#define SSH_MSG_NEWKEYS		21#define SSH_MSG_KEXDH_INIT	30#define SSH_MSG_KEXDH_REPLY	31#define SSH_MSG_KEXDH_GEX_REQ	34#define SSH_MSG_KEXDH_GEX_GRP	33#define SSH_MSG_KEXDH_GEX_INIT  32#define SSH_MSG_KEXDH_GEX_REPLY 31/* Direction of sent message. */#define SSH_DIR_FROM_SERVER	(0x1)#define SSH_DIR_FROM_CLIENT	(0x2)/* * Keyword strings for parsing configuration options. */#define SSH_SERVERPORTS_KEYWORD			"server_ports"#define SSH_MAX_ENC_PKTS_KEYWORD		"max_encrypted_packets"#define SSH_MAX_CLIENT_BYTES_KEYWORD		"max_client_bytes"#define SSH_AUTODETECT_KEYWORD			"autodetect"#define SSH_DISABLE_GOBBLES_KEYWORD		"disable_gobbles"#define SSH_DISABLE_CRC32_KEYWORD		"disable_ssh1crc32"#define SSH_DISABLE_SECURECRT_KEYWORD		"disable_srvoverflow"#define SSH_DISABLE_PROTOMISMATCH_KEYWORD	"disable_protomismatch"#define SSH_DISABLE_WRONGDIR_KEYWORD 		"disable_badmsgdir"#define SSH_DISABLE_RULES_KEYWORD		"disable_rules"#define SSH_DISABLE_PAYLOAD_SIZE        "disable_paysize"#define SSH_DISABLE_UNRECOGNIZED_VER    "disable_recognition"/* * SSH preprocessor alert types. */#define SSH_EVENT_GOBBLES		1#define SSH_EVENT_CRC32			2#define SSH_EVENT_SECURECRT		3#define SSH_EVENT_PROTOMISMATCH	4#define SSH_EVENT_WRONGDIR		5#define SSH_EVENT_PAYLOAD_SIZE  6#define SSH_EVENT_VERSION       7/* * SSH alert flags */#define SSH_ALERT_NONE			(0x0)#define SSH_ALERT_GOBBLES		(0x1)#define SSH_ALERT_CRC32			(0x2)#define SSH_ALERT_SECURECRT		(0x4)#define SSH_ALERT_PROTOMISMATCH	(0x8)#define SSH_ALERT_WRONGDIR		(0x10)#define SSH_ALERT_PAYSIZE       (0x20)#define SSH_ALERT_UNRECOGNIZED  (0x40)#define SSH_ALERT_ALL			(0xFFFF)/* * SSH preprocessor alert strings. */#define SSH_EVENT_GOBBLES_STR		"(spp_ssh) Gobbles exploit"#define SSH_EVENT_CRC32_STR		"(spp_ssh) SSH1 CRC32 exploit"#define	SSH_EVENT_SECURECRT_STR		"(spp_ssh) Server version string overflow"#define SSH_EVENT_PROTOMISMATCH_STR	"(spp_ssh) Protocol mismatch"#define SSH_EVENT_WRONGDIR_STR 		"(spp_ssh) Bad message direction"#define SSH_PAYLOAD_SIZE_STR        "(spp_ssh) Payload size incorrect for the given payload"#define SSH_VERSION_STR             "(spp_ssh) Failed to detect SSH version string"/* Prototypes for public interface */extern void SetupSSH(void);#endif /* SPP_SSH_H */