-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh_banners.xml: Update using Project Sonar data from 2017.11.30 #159
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I only had some minor feedback, otherwise this looks great. Thanks!
xml/ssh_banners.xml
Outdated
<description>Honeypot SSH</description> | ||
<example>honeypot</example> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You had some better examples, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not that I'd consider reliable, I'm likely to remove this fingerprint altogether.
</fingerprint> | ||
<fingerprint pattern="^OpenSSH_([^\s]+)\s+(Raspbian-\d\d?\+deb9u\d+)$"> | ||
<description>OpenSSH running on Raspbian (Debian 9 "Stretch" based)</description> | ||
<example service.version="7.4p1" openssh.comment="Raspbian-10+deb9u1">OpenSSH_7.4p1 Raspbian-10+deb9u1</example> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so what do the -10 and -9 in this and the next line mean? You are hardcoding the version so Raspbian 9.0, but I'm assuming that comes from the deb9u
match.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-9
and -10
are patch release versions. There are others in the Debian/Ubuntu banners that are -2, -5, etc.
The OS matching for Debian is based on debX
, for example:
deb9
-> Stretch
deb8
-> Jessie
deb7
-> Wheezy
deb6
-> Squeeze
<param pos="0" name="os.device" value="General"/> | ||
<param pos="0" name="os.family" value="Linux"/> | ||
<param pos="0" name="os.product" value="Linux"/> | ||
</fingerprint> | ||
<fingerprint pattern="^OpenSSH_(.*)\+(CAN-[0-9]{4}-[0-9]{4})$"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, never seen these. I wonder if it is worth updating it to also match CVE and maybe the new, longer format, just to be future proof?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see any instances of CVE
in the dataset. The instances I see of 'CAN" seem to be clustered around OpenSSH 3.4-3.6.
Count Banner
38 OpenSSH_3.4p1+CAN-2004-0175
27 OpenSSH_3.6.1p1+CAN-2004-0175
3 OpenSSH_3.6.1p1+CAN-2003-0693
3 OpenSSH_3.4p1+CAN-2003-0693
Reference for future me: https://cve.mitre.org/cve/identifiers/syntaxchange.html
Edit: This originally stated that there shouldn't be any harm in increasing the length of the last group to match the current standard too (7 digits) but my concern now is that this banner doesn't contain anything else linking it to MacOS X which this fingerprint references. If someone where to adopt this in a future banner we can't be sure that the service is from MacOS X. I will leave this as is for now.
This PR updates the coverage of
xml/ssh_banners.xml
using data from Project Sonar's SSH study on 2017.11.30. The most significant changes were from adding coverage of Debian Stretch and covering OpenSSH on Ubuntu and Debian where the package version was displayed but the OS release was not, for exampleOpenSSH_7.6p1 Ubuntu-2
. The latter had in some cases been misidentified as a certain version of Debian or Ubuntu so overall accuracy has been improved.In total 484,768 previously unidentified banners are now matched.
Significant changes:
bin/recog_verify xml/ssh_banners.xml
and improves the chance thatrspec
with detect issues.flags="REG_ICASE
in an inline flag ((?i:
) in order to make the regex compatible with more languages.