Project

General

Profile

Actions
Copy link

Bug #2915

closed

Feature #2283: turn content modifiers into 'sticky buffers'

modernize ssh sticky buffers

Added by Victor Julien over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
5.0beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently we have

ssh_proto:
    Description: ssh_protocol sticky buffer
    Features: No option
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-proto
ssh.protoversion:
    Description: match SSH protocol version
    Features: none
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-protoversion
ssh_software:
    Description: ssh_software sticky buffer
    Features: No option
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-software
ssh.softwareversion:
    Description: match SSH software string
    Features: none
    Documentation: https://suricata.readthedocs.io/en/latest/rules/ssh-keywords.html#ssh-softwareversion

ssh.softwareversion and ssh.protoversion are legacy and scheduled for removal in #2377

The ssh_proto and ssh_software need the following updates:

1. mpm and content api v2
2. new default names: ssh.proto / ssh.software
3. existing names as 'alias'
4. set SIGMATCH_INFO_STICKY_BUFFER flag (see src/detect-http-client-body.c)

Actions
Copy link

Also available in: Atom PDF