ssh_banners.xml: Update using Project Sonar data from 2017.11.30 #159
Conversation
xml/ssh_banners.xml
Outdated
| <description>Honeypot SSH</description> | ||
| <example>honeypot</example> |
There was a problem hiding this comment.
You had some better examples, right?
There was a problem hiding this comment.
Not that I'd consider reliable, I'm likely to remove this fingerprint altogether.
| </fingerprint> | ||
| <fingerprint pattern="^OpenSSH_([^\s]+)\s+(Raspbian-\d\d?\+deb9u\d+)$"> | ||
| <description>OpenSSH running on Raspbian (Debian 9 "Stretch" based)</description> | ||
| <example service.version="7.4p1" openssh.comment="Raspbian-10+deb9u1">OpenSSH_7.4p1 Raspbian-10+deb9u1</example> |
There was a problem hiding this comment.
so what do the -10 and -9 in this and the next line mean? You are hardcoding the version so Raspbian 9.0, but I'm assuming that comes from the deb9u match.
There was a problem hiding this comment.
-9 and -10 are patch release versions. There are others in the Debian/Ubuntu banners that are -2, -5, etc.
The OS matching for Debian is based on debX, for example:
deb9 -> Stretch
deb8 -> Jessie
deb7 -> Wheezy
deb6 -> Squeeze
| <param pos="0" name="os.device" value="General"/> | ||
| <param pos="0" name="os.family" value="Linux"/> | ||
| <param pos="0" name="os.product" value="Linux"/> | ||
| </fingerprint> | ||
| <fingerprint pattern="^OpenSSH_(.*)\+(CAN-[0-9]{4}-[0-9]{4})$"> |
There was a problem hiding this comment.
Interesting, never seen these. I wonder if it is worth updating it to also match CVE and maybe the new, longer format, just to be future proof?
There was a problem hiding this comment.
I don't see any instances of CVE in the dataset. The instances I see of 'CAN" seem to be clustered around OpenSSH 3.4-3.6.
Count Banner
38 OpenSSH_3.4p1+CAN-2004-0175
27 OpenSSH_3.6.1p1+CAN-2004-0175
3 OpenSSH_3.6.1p1+CAN-2003-0693
3 OpenSSH_3.4p1+CAN-2003-0693
Reference for future me: https://cve.mitre.org/cve/identifiers/syntaxchange.html
Edit: This originally stated that there shouldn't be any harm in increasing the length of the last group to match the current standard too (7 digits) but my concern now is that this banner doesn't contain anything else linking it to MacOS X which this fingerprint references. If someone where to adopt this in a future banner we can't be sure that the service is from MacOS X. I will leave this as is for now.
This PR updates the coverage of
xml/ssh_banners.xmlusing data from Project Sonar's SSH study on 2017.11.30. The most significant changes were from adding coverage of Debian Stretch and covering OpenSSH on Ubuntu and Debian where the package version was displayed but the OS release was not, for exampleOpenSSH_7.6p1 Ubuntu-2. The latter had in some cases been misidentified as a certain version of Debian or Ubuntu so overall accuracy has been improved.In total 484,768 previously unidentified banners are now matched.
Significant changes:
bin/recog_verify xml/ssh_banners.xmland improves the chance thatrspecwith detect issues.flags="REG_ICASEin an inline flag ((?i:) in order to make the regex compatible with more languages.