[fix] Handle SSH traffic encapsulated in GRE

Related issue: #51
FoxIO-LLC · Jan 29, 2024 · e1e32bf · e1e32bf
1 parent 472f01f
commit e1e32bf
Show file tree

Hide file tree

Showing 21 changed files with 287 additions and 47 deletions.
diff --git a/pcap/gre-sample.pcap b/pcap/gre-sample.pcap
diff --git a/pcap/gtp-iphone.pcap b/pcap/gtp-iphone.pcap
diff --git a/pcap/ssh-r.pcap b/pcap/ssh-r.pcap
diff --git a/pcap/ssh2-malformed.pcap b/pcap/ssh2-malformed.pcap
diff --git a/pcap/ssh2-moloch-crash.pcap b/pcap/ssh2-moloch-crash.pcap
diff --git a/pcap/sshv1.pcap b/pcap/sshv1.pcap
diff --git a/pcap/tcpdump-geneve.pcap b/pcap/tcpdump-geneve.pcap
diff --git a/pcap/v6.pcap b/pcap/v6.pcap
diff --git a/rust/CHANGELOG.md b/rust/CHANGELOG.md
@@ -9,7 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-- ja4l: Fix a panic that only reproduced in debug mode (#51).
+- JA4L: Fix a panic that only reproduced in debug mode (#51).
+- Fix processing of GRE tunneling traffic (#51).
+- Skip packets with "icmpv6" layer (#51).
 
 ### Changed
 

diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,21 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 66.59.111.190
+  dst: 172.28.2.3
+  src_port: 40264
+  dst_port: 22
+  ja4l_c: 36_255
+  ja4l_s: 22952_236
+  ja4ssh:
+  - c24s23_c4s4_c6s4
+  ssh_extras:
+    hassh: 5ef6678a6b060094834599ca16581b05
+    hassh_server: 6e3242d64766f4154c11858bbd654415
+    ssh_protocol_client: SSH-2.0-OpenSSH_3.6.1p1
+    ssh_protocol_server: SSH-1.99-OpenSSH_3.1p1
+    encryption_algorithm: aes128-cbc
+
diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,37 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: fd00:183:1:1:1886:9040:8605:32b8
+  dst: fd01::183
+  src_port: 5060
+  dst_port: 5060
+  ja4l_c: 15922_64
+  ja4l_s: 53_64
+- stream: 1
+  transport: tcp
+  src: fd00:183:1:1:1886:9040:8605:32b8
+  dst: fd01::183
+  src_port: 5060
+  dst_port: 5060
+  ja4l_c: 16068_64
+  ja4l_s: 52_64
+- stream: 2
+  transport: tcp
+  src: fd00:183:1:1:1886:9040:8605:32b8
+  dst: fd01::183
+  src_port: 5060
+  dst_port: 5060
+  ja4l_c: 19889_64
+  ja4l_s: 174_64
+- stream: 3
+  transport: tcp
+  src: fd00:183:1:1:1886:9040:8605:32b8
+  dst: fd01::183
+  src_port: 5060
+  dst_port: 5060
+  ja4l_c: 19962_64
+  ja4l_s: 35_64
+
diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,62 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 192.168.1.169
+  dst: 192.168.1.197
+  src_port: 64980
+  dst_port: 22
+  ja4l_c: 94_128
+  ja4l_s: 32_64
+  ja4ssh:
+  - c64s64_c78s65_c45s10
+  - c64s64_c59s72_c67s2
+  - c64s64_c3s4_c4s0
+  ssh_extras:
+    hassh: e77c2db7432e8cfbc42a96909a84fc8e
+    hassh_server: 6832f1ce43d4397c2c0a3e2f8c94334e
+    ssh_protocol_client: SSH-2.0-PuTTY_Release_0.74
+    ssh_protocol_server: SSH-2.0-OpenSSH_7.4
+    encryption_algorithm: chacha20-poly1305@openssh.com
+- stream: 1
+  transport: tcp
+  src: 192.168.1.197
+  dst: 44.212.59.210
+  src_port: 46394
+  dst_port: 22
+  ja4l_c: 14_64
+  ja4l_s: 4171_116
+  ja4ssh:
+  - c48s556_c7s5_c5s5
+  ssh_extras:
+    hassh: ec9ea89c70f5fc71cf61061bff5e4740
+    hassh_server: 2307c390c7c9aba5b4c9519e72347f34
+    ssh_protocol_client: SSH-2.0-OpenSSH_7.4
+    ssh_protocol_server: SSH-2.0-OpenSSH_8.7
+    encryption_algorithm: aes256-gcm@openssh.com
+- stream: 2
+  transport: tcp
+  src: 192.168.1.197
+  dst: 44.212.59.210
+  src_port: 46396
+  dst_port: 22
+  ja4l_c: 12_64
+  ja4l_s: 3169_116
+  ja4ssh:
+  - c76s76_c63s69_c19s47
+  - c76s76_c74s57_c0s69
+  - c76s76_c71s60_c0s69
+  - c76s76_c69s62_c0s69
+  - c76s76_c71s59_c0s70
+  - c76s76_c75s57_c0s68
+  - c76s76_c70s69_c6s55
+  - c36s104_c3s3_c4s1
+  ssh_extras:
+    hassh: ec9ea89c70f5fc71cf61061bff5e4740
+    hassh_server: 2307c390c7c9aba5b4c9519e72347f34
+    ssh_protocol_client: SSH-2.0-OpenSSH_7.4
+    ssh_protocol_server: SSH-2.0-OpenSSH_8.7
+    encryption_algorithm: aes256-gcm@openssh.com
+
diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,21 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 10.0.0.1
+  dst: 10.0.0.2
+  src_port: 61672
+  dst_port: 22
+  ja4l_c: 7_64
+  ja4l_s: 462_60
+  ja4ssh:
+  - c24s464_c7s5_c3s4
+  ssh_extras:
+    hassh: 21b457a327ce7a2d4fce5ef2c42400bd
+    hassh_server: f430cd6761697a6a658ee1d45ed22e49
+    ssh_protocol_client: SSH-2.0-OpenSSH_5.3
+    ssh_protocol_server: SSH-1.99-OpenSSH_3.9p1
+    encryption_algorithm: aes128-cbc
+
diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,21 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 10.0.0.1
+  dst: 10.0.0.2
+  src_port: 61672
+  dst_port: 22
+  ja4l_c: 7_64
+  ja4l_s: 462_60
+  ja4ssh:
+  - c24s640_c7s5_c3s4
+  ssh_extras:
+    hassh: 21b457a327ce7a2d4fce5ef2c42400bd
+    hassh_server: f430cd6761697a6a658ee1d45ed22e49
+    ssh_protocol_client: SSH-2.0-OpenSSH_5.3
+    ssh_protocol_server: SSH-1.99-OpenSSH_3.9p1
+    encryption_algorithm: aes128-cbc
+
diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,21 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 3ffe:507:0:1:200:86ff:fe05:80da
+  dst: 3ffe:501:410:0:2c0:dfff:fe47:33e
+  src_port: 1022
+  dst_port: 22
+  ja4l_c: 271_64
+  ja4l_s: 28494_61
+  ja4ssh:
+  - c20s20_c18s23_c11s2
+  ssh_extras:
+    hassh: null
+    hassh_server: null
+    ssh_protocol_client: SSH-1.5-1.2.26
+    ssh_protocol_server: SSH-1.5-1.2.26
+    encryption_algorithm: null
+
diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,21 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 30.0.0.2
+  dst: 30.0.0.1
+  src_port: 51225
+  dst_port: 22
+  ja4l_c: 93_64
+  ja4l_s: 24_64
+  ja4ssh:
+  - c144s48_c10s11_c6s4
+  ssh_extras:
+    hassh: 21b457a327ce7a2d4fce5ef2c42400bd
+    hassh_server: ce3c327f37ea2ec21f317fbc3fd1ea43
+    ssh_protocol_client: SSH-2.0-OpenSSH_5.3
+    ssh_protocol_server: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
+    encryption_algorithm: aes128-ctr
+
diff --git a/rust/ja4/src/snapshots/[email protected] b/rust/ja4/src/snapshots/[email protected]
@@ -0,0 +1,21 @@
+---
+source: ja4/src/lib.rs
+expression: output
+---
+- stream: 0
+  transport: tcp
+  src: 3ffe:507:0:1:200:86ff:fe05:80da
+  dst: 3ffe:501:410:0:2c0:dfff:fe47:33e
+  src_port: 1022
+  dst_port: 22
+  ja4l_c: 271_64
+  ja4l_s: 28494_61
+  ja4ssh:
+  - c20s12_c18s23_c11s2
+  ssh_extras:
+    hassh: null
+    hassh_server: null
+    ssh_protocol_client: SSH-1.5-1.2.26
+    ssh_protocol_server: SSH-1.5-1.2.26
+    encryption_algorithm: null
+
diff --git a/rust/ja4/src/ssh.rs b/rust/ja4/src/ssh.rs
@@ -123,32 +123,40 @@ impl StreamExtras {
             return;
         };
 
+        #[cfg(debug_assertions)]
+        if let Ok(dir) = ssh.find("ssh.direction") {
+            match sender {
+                Sender::Client => assert_eq!(dir.display(), "Direction: client-to-server"),
+                Sender::Server => assert_eq!(dir.display(), "Direction: server-to-client"),
+            }
+        }
+
         match sender {
             Sender::Client => {
                 if let Ok(s) = ssh.first("ssh.kex.hassh") {
-                    debug_assert!(self.hassh.is_none(), "packet={}", pkt.num);
+                    debug_assert!(self.hassh.is_none());
                     self.hassh = Some(s.to_owned());
                 }
                 if let Ok(s) = ssh.first("ssh.encryption_algorithms_client_to_server") {
                     // An SSH stream can have at most one client message with this field,
                     // and the client message precedes any server messages.
-                    debug_assert!(self.encryption.is_none(), "packet={}", pkt.num);
+                    debug_assert!(self.encryption.is_none());
                     self.encryption = Some(Encryption::ClientToServerAlgorithms(
                         s.split(',').map(|s| s.to_owned()).collect(),
                     ));
                 }
                 if let Ok(s) = ssh.first("ssh.protocol") {
-                    debug_assert!(self.ssh_protocol_client.is_none(), "packet={}", pkt.num);
+                    debug_assert!(self.ssh_protocol_client.is_none());
                     self.ssh_protocol_client = Some(s.to_owned());
                 }
             }
             Sender::Server => {
                 if let Ok(s) = ssh.first("ssh.kex.hasshserver") {
-                    debug_assert!(self.hassh_server.is_none(), "packet={}", pkt.num);
+                    debug_assert!(self.hassh_server.is_none());
                     self.hassh_server = Some(s.to_owned());
                 }
                 if let Ok(s) = ssh.first("ssh.protocol") {
-                    debug_assert!(self.ssh_protocol_server.is_none(), "packet={}", pkt.num);
+                    debug_assert!(self.ssh_protocol_server.is_none());
                     self.ssh_protocol_server = Some(s.to_owned());
                 }
                 let Ok(server_algs) = ssh.first("ssh.encryption_algorithms_server_to_client")