Added basic parsing for SSH messages

shadowy-pycoder · shadowy-pycoder · commit 874e43048297 · 2024-09-08T16:48:18.000+03:00
diff --git a/layers/dns.go b/layers/dns.go
@@ -208,32 +208,32 @@ func (d *DNSMessage) Summary() string {
 	var sb strings.Builder
 	sb.WriteString(fmt.Sprintf("DNS Message: %s %s %#04x ", d.Flags.OPCodeDesc, d.Flags.QRDesc, d.TransactionID))
 	for _, rec := range d.Questions {
-		if sb.Len() > 100 {
+		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
+		if sb.Len() > maxLenSummary {
 			goto result
 		}
-		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
 	}
 	for _, rec := range d.AnswerRRs {
-		if sb.Len() > 100 {
+		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
+		if sb.Len() > maxLenSummary {
 			goto result
 		}
-		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
 	}
 	for _, rec := range d.AuthorityRRs {
-		if sb.Len() > 100 {
+		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
+		if sb.Len() > maxLenSummary {
 			goto result
 		}
-		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
 	}
 	for _, rec := range d.AdditionalRRs {
-		if sb.Len() > 100 {
+		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
+		if sb.Len() > maxLenSummary {
 			goto result
 		}
-		sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))
 	}
 	return sb.String()
 result:
-	return sb.String()[:100] + string(ellipsis)
+	return sb.String()[:maxLenSummary] + string(ellipsis)
 }
 
 // Parse parses the given byte data into a DNSMessage struct.
diff --git a/layers/layers.go b/layers/layers.go
@@ -5,6 +5,8 @@ import (
 	"unsafe"
 )
 
+const maxLenSummary = 100
+
 var LayerMap = map[string]Layer{
 	"ETH":    &EthernetFrame{},
 	"IPv4":   &IPv4Packet{},
diff --git a/layers/ssh.go b/layers/ssh.go
@@ -1,23 +1,142 @@
 package layers
 
-import "fmt"
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"strings"
+)
 
-// https://www.omnisecu.com/tcpip/ssh-packet-format.php
-// port 22
-type SSHMessage struct{}
+const messageSizeSSH = 6
+
+type Message struct {
+	PacketLength     uint32
+	PaddingLength    uint8
+	MesssageType     uint8
+	MesssageTypeDesc string
+	Payload          []byte
+}
+
+func (m *Message) String() string {
+	if m.PacketLength == 0 {
+		return fmt.Sprintf(`- Payload: %d bytes`, len(m.Payload))
+	}
+	return fmt.Sprintf(` - Packet Length: %d
+ - Padding Length: %d
+ - Message Type: %s (%d)
+ - Payload: %d bytes`,
+		m.PacketLength,
+		m.PaddingLength,
+		m.MesssageTypeDesc,
+		m.MesssageType,
+		len(m.Payload))
+}
+
+type SSHMessage struct {
+	Protocol string
+	Messages []*Message
+}
 
 func (s *SSHMessage) String() string {
-	return fmt.Sprintf(`%s`, s.Summary())
+	return fmt.Sprintf(`%s
+%s
+`, s.Summary(), s.printMessages())
 }
 
 func (s *SSHMessage) Summary() string {
-	return fmt.Sprint("SSH Message:")
+	var sb strings.Builder
+	sb.WriteString("SSH Message: ")
+	if s.Protocol != "" {
+		sb.WriteString(s.Protocol)
+		return sb.String()
+	}
+	if len(s.Messages) == 1 && s.Messages[0].PacketLength == 0 {
+		sb.WriteString(fmt.Sprintf("Encrypted or partial data Len: %d", len(s.Messages[0].Payload)))
+		return sb.String()
+	}
+	for _, message := range s.Messages {
+		if message.PacketLength != 0 {
+			sb.WriteString(fmt.Sprintf("%s (%d) Len: %d ",
+				message.MesssageTypeDesc,
+				message.MesssageType,
+				message.PacketLength))
+		}
+		if sb.Len() > maxLenSummary {
+			return sb.String()[:maxLenSummary] + string(ellipsis)
+		}
+	}
+	return sb.String()
+}
+
+func (s *SSHMessage) printMessages() string {
+	var sb strings.Builder
+
+	for _, message := range s.Messages {
+		if message.MesssageTypeDesc == "" {
+			sb.WriteString(fmt.Sprintf("%s\n", message))
+		} else {
+			sb.WriteString(fmt.Sprintf("- %s:\n%s\n", message.MesssageTypeDesc, message))
+		}
+	}
+	return sb.String()
 }
 
 func (s *SSHMessage) Parse(data []byte) error {
+	if len(data) < messageSizeSSH {
+		return fmt.Errorf("minimum message size for SSH is %d bytes, got %d bytes", messageSizeSSH, len(data))
+	}
+	s.Protocol = ""
+	s.Messages = nil
+	if bytes.HasSuffix(data, crlf) {
+		s.Protocol = bytesToStr(bytes.TrimSuffix(data, crlf))
+		return nil
+	}
+	s.Messages = make([]*Message, 0, 3)
+	for len(data) > 0 {
+		m := &Message{}
+		s.Messages = append(s.Messages, m)
+		plen := binary.BigEndian.Uint32(data[0:4])
+		if plen > 0xffff {
+			m.Payload = data
+			break
+		}
+		m.MesssageType = data[5]
+		if m.MesssageTypeDesc = mtypedesc(m.MesssageType); m.MesssageTypeDesc == "Unknown" {
+			m.Payload = data
+			break
+		}
+		m.PacketLength = plen
+		m.PaddingLength = data[4]
+		offset := int(messageSizeSSH + m.PacketLength - 2)
+		if offset <= len(data) {
+			m.Payload = data[messageSizeSSH:offset]
+			data = data[offset:]
+		} else {
+			m.Payload = data[messageSizeSSH:]
+			break
+		}
+	}
 	return nil
 }
 
 func (s *SSHMessage) NextLayer() (string, []byte) {
 	return "", nil
 }
+
+// https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml
+func mtypedesc(mtype uint8) string {
+	var mtypedesc string
+	switch mtype {
+	case 20:
+		mtypedesc = "Key Exchange Init"
+	case 21:
+		mtypedesc = "New Keys"
+	case 30:
+		mtypedesc = "Elliptic Curve Diffie-Hellman Key Exchange Init"
+	case 31:
+		mtypedesc = "Elliptic Curve Diffie-Hellman Key Exchange Reply"
+	default:
+		mtypedesc = "Unknown"
+	}
+	return mtypedesc
+}
diff --git a/layers/tls.go b/layers/tls.go
@@ -6,6 +6,8 @@ import (
 	"strings"
 )
 
+const headerSizeTLS = 5
+
 type Record struct {
 	ContentType     uint8
 	ContentTypeDesc string
@@ -48,9 +50,6 @@ func (t *TLSMessage) Summary() string {
 		sb.WriteString(fmt.Sprintf("Ignored unknown record Len: %d", len(t.Data)))
 	} else {
 		for i, rec := range t.Records {
-			if sb.Len() > 100 {
-				return sb.String()[:100] + string(ellipsis)
-			}
 			if i > 0 {
 				sb.WriteString(fmt.Sprintf("%s (%d) Len: %d ", rec.ContentTypeDesc, rec.ContentType, rec.Length))
 				continue
@@ -64,6 +63,9 @@ func (t *TLSMessage) Summary() string {
 				rec.ContentTypeDesc,
 				rec.ContentType,
 				rec.Length))
+			if sb.Len() > maxLenSummary {
+				return sb.String()[:maxLenSummary] + string(ellipsis)
+			}
 		}
 	}
 	return sb.String()
@@ -79,6 +81,9 @@ func (t *TLSMessage) printRecords() string {
 }
 
 func (t *TLSMessage) Parse(data []byte) error {
+	if len(data) < headerSizeTLS {
+		return fmt.Errorf("minimum header size for TLS is %d bytes, got %d bytes", headerSizeTLS, len(data))
+	}
 	t.Records = make([]*Record, 0, 5)
 	for len(data) > 0 {
 		ctype := data[0]
@@ -91,8 +96,8 @@ func (t *TLSMessage) Parse(data []byte) error {
 		if verdesc == "Unknown" {
 			break
 		}
-		rlen := binary.BigEndian.Uint16(data[3:5])
-		if 5+rlen > uint16(len(data)) {
+		rlen := binary.BigEndian.Uint16(data[3:headerSizeTLS])
+		if headerSizeTLS+rlen > uint16(len(data)) {
 			break
 		}
 		r := &Record{
@@ -101,10 +106,10 @@ func (t *TLSMessage) Parse(data []byte) error {
 			Version:         ver,
 			VersionDesc:     verdesc,
 			Length:          rlen,
-			data:            data[5 : 5+rlen],
+			data:            data[headerSizeTLS : headerSizeTLS+rlen],
 		}
 		t.Records = append(t.Records, r)
-		data = data[5+rlen:]
+		data = data[headerSizeTLS+rlen:]
 	}
 	t.Data = data
 	return nil
@@ -141,6 +146,8 @@ func ctdesc(ct uint8) string {
 func verdesc(ver uint16) string {
 	var verdesc string
 	switch ver {
+	case 0x0200:
+		verdesc = "SSL 2.0"
 	case 0x0300:
 		verdesc = "SSL 3.0"
 	case 0x0301:
@@ -149,6 +156,8 @@ func verdesc(ver uint16) string {
 		verdesc = "TLS 1.1"
 	case 0x0303:
 		verdesc = "TLS 1.2"
+	case 0x0304:
+		verdesc = "TLS 1.3"
 	default:
 		verdesc = "Unknown"
 	}

Original file line number	Diff line number	Diff line change
`@@ -208,32 +208,32 @@ func (d *DNSMessage) Summary() string {`
`208`	`208`	`var sb strings.Builder`
`209`	`209`	`sb.WriteString(fmt.Sprintf("DNS Message: %s %s %#04x ", d.Flags.OPCodeDesc, d.Flags.QRDesc, d.TransactionID))`
`210`	`210`	`for _, rec := range d.Questions {`
`211`		`- if sb.Len() > 100 {`
	`211`	`+ sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
	`212`	`+ if sb.Len() > maxLenSummary {`
`212`	`213`	`goto result`
`213`	`214`	`}`
`214`		`- sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
`215`	`215`	`}`
`216`	`216`	`for _, rec := range d.AnswerRRs {`
`217`		`- if sb.Len() > 100 {`
	`217`	`+ sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
	`218`	`+ if sb.Len() > maxLenSummary {`
`218`	`219`	`goto result`
`219`	`220`	`}`
`220`		`- sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
`221`	`221`	`}`
`222`	`222`	`for _, rec := range d.AuthorityRRs {`
`223`		`- if sb.Len() > 100 {`
	`223`	`+ sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
	`224`	`+ if sb.Len() > maxLenSummary {`
`224`	`225`	`goto result`
`225`	`226`	`}`
`226`		`- sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
`227`	`227`	`}`
`228`	`228`	`for _, rec := range d.AdditionalRRs {`
`229`		`- if sb.Len() > 100 {`
	`229`	`+ sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
	`230`	`+ if sb.Len() > maxLenSummary {`
`230`	`231`	`goto result`
`231`	`232`	`}`
`232`		`- sb.WriteString(fmt.Sprintf("%s %s ", rec.Type.Name, rec.Name))`
`233`	`233`	`}`
`234`	`234`	`return sb.String()`
`235`	`235`	`result:`
`236`		`- return sb.String()[:100] + string(ellipsis)`
	`236`	`+ return sb.String()[:maxLenSummary] + string(ellipsis)`
`237`	`237`	`}`
`238`	`238`
`239`	`239`	`// Parse parses the given byte data into a DNSMessage struct.`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@ import (`
`5`	`5`	`"unsafe"`
`6`	`6`	`)`
`7`	`7`
	`8`	`+const maxLenSummary = 100`
	`9`	`+`
`8`	`10`	`var LayerMap = map[string]Layer{`
`9`	`11`	`"ETH": &EthernetFrame{},`
`10`	`12`	`"IPv4": &IPv4Packet{},`