Merge pull request #491 from apooraj/ssh_classifier

davidmcgrew · GitHub Enterprise · commit e5148c13bb85 · 2025-08-08T11:46:12.000-04:00
SSH classifier and stats collections
diff --git a/src/cbor.cpp b/src/cbor.cpp
@@ -83,7 +83,7 @@ int main(int argc, char *argv[]) {
             }
         }
         if (decode_fdc) {
-            static const size_t MAX_FP_STR_LEN     = 4096;
+            static const size_t MAX_FP_STR_LEN     = 8192;
             char fp_str[MAX_FP_STR_LEN];
             char dst_ip_str[MAX_ADDR_STR_LEN];
             char sn_str[MAX_SNI_LEN];
diff --git a/src/libmerc/analysis.h b/src/libmerc/analysis.h
@@ -474,6 +474,8 @@ class classifier {
             return fingerprint_type_quic;
         } else if (s == "tofsee") {
             return fingerprint_type_tofsee;
+        } else if (s == "ssh") {
+            return fingerprint_type_ssh;
         }
         return fingerprint_type_unknown;
     }
@@ -530,6 +532,8 @@ class classifier {
                     type = fingerprint_type_quic;
                 } else if (s.compare(0, idx, "tofsee") == 0) {
                     type = fingerprint_type_tofsee;
+                } else if (s.compare(0, idx, "ssh") == 0) {
+                    type = fingerprint_type_ssh;
                 }
                 std::string version_and_tail{s.substr(idx+1)};
 
diff --git a/src/libmerc/fdc.hpp b/src/libmerc/fdc.hpp
@@ -658,7 +658,7 @@ class fdc {
 
             // decode the data in the buffer to decoded_fdc
             //
-            static const size_t MAX_FP_STR_LEN     = 4096;
+            static const size_t MAX_FP_STR_LEN     = 8192;
             char fp_str[MAX_FP_STR_LEN];
             char dst_ip_str[MAX_ADDR_STR_LEN];
             char sn_str[MAX_SNI_LEN];
@@ -713,7 +713,7 @@ class fdc {
 
 [[maybe_unused]] static std::string get_json_decoded_fdc(const char *fdc_blob, ssize_t blob_len) {
     datum fdc_data = datum{(uint8_t*)fdc_blob,(uint8_t*)(fdc_blob+blob_len)};
-    static const size_t MAX_FP_STR_LEN     = 4096;
+    static const size_t MAX_FP_STR_LEN     = 8192;
     char fp_str[MAX_FP_STR_LEN];
     char dst_ip_str[MAX_ADDR_STR_LEN];
     char sn_str[MAX_SNI_LEN];
diff --git a/src/libmerc/fingerprint.h b/src/libmerc/fingerprint.h
@@ -12,7 +12,7 @@
 
 class fingerprint {
     enum fingerprint_type type;
-    static const size_t MAX_FP_STR_LEN = 4096;
+    static const size_t MAX_FP_STR_LEN = 8192;
     char fp_str[MAX_FP_STR_LEN];
     struct buffer_stream fp_buf;
 
diff --git a/src/libmerc/pkt_proc.cc b/src/libmerc/pkt_proc.cc
@@ -247,6 +247,13 @@ struct do_observation {
         analysis_.reset_user_agent();
     }
 
+    void operator()(ssh_init_packet &m) {
+        // create event and send it to the data/stats aggregator
+        event_string ev_str{k_, analysis_, m};
+        mq_->push(ev_str.construct_event_string());
+        analysis_.reset_user_agent();
+    }
+
     template <typename T>
     void operator()(T &) { }
 
diff --git a/src/libmerc/ssh.h b/src/libmerc/ssh.h
@@ -328,10 +328,11 @@ struct ssh_init_packet : public base_protocol {
     struct datum comment_string;
     ssh_binary_packet binary_pkt;
     ssh_kex_init kex_pkt;
+    data_buffer<MAX_USER_AGENT_LEN> user_agent;
 
     static constexpr size_t max_data_size = 8192;
 
-    ssh_init_packet(datum &p) : protocol_string{NULL, NULL}, comment_string{NULL, NULL}, binary_pkt{}, kex_pkt{} {
+    ssh_init_packet(datum &p) : protocol_string{NULL, NULL}, comment_string{NULL, NULL}, binary_pkt{}, kex_pkt{}, user_agent{} {
         parse(p);
     }
 
@@ -462,6 +463,24 @@ struct ssh_init_packet : public base_protocol {
         { 'S',  'S',  'H',  '-',  0x00, 0x00, 0x00, 0x00}
     };
 
+    bool do_analysis(const struct key &k_, struct analysis_context &analysis_, classifier *c_) {
+        if (!kex_pkt.is_not_empty()) {
+            return false;
+        }
+        
+        // concatenate protocol and comment strings for analysis
+        datum tmp_protocol_str = protocol_string;
+        datum tmp_comment_str = comment_string;
+        user_agent.parse(tmp_protocol_str);
+        user_agent.parse(tmp_comment_str);
+
+        analysis_.destination.init({nullptr, nullptr}, user_agent.contents(), {nullptr, nullptr}, k_);
+        if (c_ == nullptr) {
+            return false;
+        }
+        return c_->analyze_fingerprint_and_destination_context(analysis_.fp, analysis_.destination, analysis_.result);
+}
+
 };
 
 [[maybe_unused]] inline int ssh_init_packet_fuzz_test(const uint8_t *data, size_t size) {

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ int main(int argc, char *argv[]) {`
`83`	`83`	`}`
`84`	`84`	`}`
`85`	`85`	`if (decode_fdc) {`
`86`		`- static const size_t MAX_FP_STR_LEN = 4096;`
	`86`	`+ static const size_t MAX_FP_STR_LEN = 8192;`
`87`	`87`	`char fp_str[MAX_FP_STR_LEN];`
`88`	`88`	`char dst_ip_str[MAX_ADDR_STR_LEN];`
`89`	`89`	`char sn_str[MAX_SNI_LEN];`
Original file line number	Diff line number	Diff line change
`@@ -474,6 +474,8 @@ class classifier {`
`474`	`474`	`return fingerprint_type_quic;`
`475`	`475`	`} else if (s == "tofsee") {`
`476`	`476`	`return fingerprint_type_tofsee;`
	`477`	`+ } else if (s == "ssh") {`
	`478`	`+ return fingerprint_type_ssh;`
`477`	`479`	`}`
`478`	`480`	`return fingerprint_type_unknown;`
`479`	`481`	`}`
`@@ -530,6 +532,8 @@ class classifier {`
`530`	`532`	`type = fingerprint_type_quic;`
`531`	`533`	`} else if (s.compare(0, idx, "tofsee") == 0) {`
`532`	`534`	`type = fingerprint_type_tofsee;`
	`535`	`+ } else if (s.compare(0, idx, "ssh") == 0) {`
	`536`	`+ type = fingerprint_type_ssh;`
`533`	`537`	`}`
`534`	`538`	`std::string version_and_tail{s.substr(idx+1)};`
`535`	`539`