lua: convert ssh function into suricata.ssh lib

doc/userguide/lua/libs/index.rst

@@ -14,3 +14,4 @@ environment without access to additional modules.
    hashlib
    http
    packetlib
+   ssh

doc/userguide/lua/libs/ssh.rst

@@ -0,0 +1,91 @@
+SSH
+---
+
+SSH transaction details are exposes to Lua scripts with the
+``suricata.ssh`` library, For example::
+
+  local ssh = require("suricata.ssh")
+
+Setup
+^^^^^
+
+If your purpose is to create a logging script, initialize the buffer as:
+
+::
+
+  function init (args)
+     local needs = {}
+     needs["protocol"] = "ssh"
+     return needs
+  end
+
+If you are going to use the script for rule matching, choose one of
+the available SSH buffers listed in :ref:`lua-detection` and follow
+the pattern:
+
+::
+
+  function init (args)
+     local needs = {}
+     needs["ssh.server_proto"] = tostring(true)
+     return needs
+  end
+
+Transaction
+~~~~~~~~~~~
+
+SSH is transaction based, and the current transaction must be obtained before use::
+
+  local tx, err = ssh.get_tx()
+  if tx == err then
+      print(err)
+  end
+
+All other functions are methods on the transaction table.
+
+Transaction Methods
+~~~~~~~~~~~~~~~~~~~
+
+``server_proto()``
+^^^^^^^^^^^^^^^^^^
+
+Get the ``server_proto`` value as a string.
+
+Example::
+
+  local tx = ssh.get_tx()
+  local proto = tx:server_proto();
+  print (proto)
+
+``client_proto()``
+^^^^^^^^^^^^^^^^^^
+
+Get the ``client_proto`` value as a string.
+
+Example::
+
+  local tx = ssh.get_tx()
+  local proto = tx:client_proto();
+  print (proto)
+
+``server_software()``
+^^^^^^^^^^^^^^^^^^^^^
+
+Get the ``server_software`` value as a string.
+
+Example::
+
+  local tx = ssh.get_tx()
+  local software = tx:server_software();
+  print (software)
+
+``client_software()``
+^^^^^^^^^^^^^^^^^^^^^
+
+Get the ``client_software`` value as a string.
+
+Example::
+
+  local tx = ssh.get_tx()
+  local software = tx:client_software();
+  print (software)

doc/userguide/lua/lua-functions.rst

@@ -481,71 +481,6 @@ Initialize with:
       return needs
   end
 
-SshGetServerProtoVersion
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-Get SSH protocol version used by the server through SshGetServerProtoVersion.
-
-Example:
-
-::
-
-  function log (args)
-      version = SshGetServerProtoVersion()
-      if version == nil then
-          return 0
-      end
-  end
-
-SshGetServerSoftwareVersion
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Get SSH software used by the server through SshGetServerSoftwareVersion.
-
-Example:
-
-::
-
-  function log (args)
-      software = SshGetServerSoftwareVersion()
-      if software == nil then
-          return 0
-      end
-  end
-
-SshGetClientProtoVersion
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-Get SSH protocol version used by the client through SshGetClientProtoVersion.
-
-Example:
-
-::
-
-  function log (args)
-      version = SshGetClientProtoVersion()
-      if version == nil then
-          return 0
-      end
-  end
-
-SshGetClientSoftwareVersion
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Get SSH software used by the client through SshGetClientSoftwareVersion.
-
-Example:
-
-::
-
-  function log (args)
-      software = SshGetClientSoftwareVersion()
-      if software == nil then
-          return 0
-      end
-  end
-
-
 HasshGet
 ~~~~~~~~
 

src/detect-lua-extensions.c

@@ -43,7 +43,6 @@
 #include "util-lua-dns.h"
 #include "util-lua-ja3.h"
 #include "util-lua-tls.h"
-#include "util-lua-ssh.h"
 #include "util-lua-hassh.h"
 #include "util-lua-smtp.h"
 #include "util-lua-dnp3.h"
@@ -552,7 +551,6 @@ int LuaRegisterExtensions(lua_State *lua_state)
     LuaRegisterFunctions(lua_state);
     LuaRegisterJa3Functions(lua_state);
     LuaRegisterTlsFunctions(lua_state);
-    LuaRegisterSshFunctions(lua_state);
     LuaRegisterHasshFunctions(lua_state);
     LuaRegisterSmtpFunctions(lua_state);
     return 0;

src/detect-ssh-proto.c

@@ -114,4 +114,11 @@ void DetectSshProtocolRegister(void)
     DetectBufferTypeSetDescriptionByName(BUFFER_NAME, BUFFER_DESC);
 
     g_buffer_id = DetectBufferTypeGetByName(BUFFER_NAME);
+
+    /* register these generic engines for lua from here for now */
+    DetectAppLayerInspectEngineRegister(
+            "ssh_banner", ALPROTO_SSH, SIG_FLAG_TOSERVER, 1, DetectEngineInspectGenericList, NULL);
+    DetectAppLayerInspectEngineRegister(
+            "ssh_banner", ALPROTO_SSH, SIG_FLAG_TOCLIENT, 1, DetectEngineInspectGenericList, NULL);
+    DetectBufferTypeSetDescriptionByName("ssh_banner", "ssh banner");
 }

src/output-lua.c

@@ -39,7 +39,6 @@
 #include "util-lua-dns.h"
 #include "util-lua-ja3.h"
 #include "util-lua-tls.h"
-#include "util-lua-ssh.h"
 #include "util-lua-hassh.h"
 #include "util-lua-smtp.h"
 
@@ -593,7 +592,6 @@ static lua_State *LuaScriptSetup(const char *filename, LogLuaMasterCtx *ctx)
     LuaRegisterFunctions(luastate);
     LuaRegisterJa3Functions(luastate);
     LuaRegisterTlsFunctions(luastate);
-    LuaRegisterSshFunctions(luastate);
     LuaRegisterHasshFunctions(luastate);
     LuaRegisterSmtpFunctions(luastate);
 

src/util-lua-builtins.c

@@ -22,6 +22,7 @@
 #include "util-lua-dnp3.h"
 #include "util-lua-http.h"
 #include "util-lua-dns.h"
+#include "util-lua-ssh.h"
 #include "util-lua-flowlib.h"
 #include "util-lua-hashlib.h"
 #include "util-lua-packetlib.h"
@@ -37,6 +38,7 @@ static const luaL_Reg builtins[] = {
     { "suricata.hashlib", SCLuaLoadHashlib },
     { "suricata.http", SCLuaLoadHttpLib },
     { "suricata.packet", LuaLoadPacketLib },
+    { "suricata.ssh", SCLuaLoadSshLib },
     { NULL, NULL },
 };