Add basic SSH detection

The SSH protocol does not give a lot to detect it by. A new kernel check
has been added to detect the initial SSH hello messages.

api/v1/runtime/common.proto

@@ -127,6 +127,11 @@ message SOCKS5DetectedFinding {
   uint32 port = 6;
 }
 
+message SSHData {
+  FlowDirection flow_direction = 1;
+  string version = 2;
+  string comments = 3;
+}
 
 enum NetflowProtocol {
   NETFLOW_PROTOCOL_UNKNOWN = 0;

api/v1/runtime/runtime_agent_api.proto

@@ -54,6 +54,7 @@ enum EventType {
   EVENT_SIGNATURE = 9;
   EVENT_TTY_WRITE = 10;
   EVENT_STDIO_VIA_SOCKET = 11;
+  EVENT_SSH = 12;
 
   EVENT_ANY = 999;
 }
@@ -81,6 +82,7 @@ message Event {
     v1.SignatureEvent signature = 25;
     v1.Any any = 26;
     v1.StdioViaSocketFinding stdio_via_socket = 27;
+    v1.SSHData ssh = 28;
   }
 }
 

cmd/agent/daemon/daemon.go

@@ -61,6 +61,7 @@ func NewRunCommand(version string) *cobra.Command {
 				events.ProcessOomKilled,
 				events.StdioViaSocket,
 				events.TtyWrite,
+				events.NetPacketSSHBase,
 			},
 		}
 		ebpfEventsStdioExporterEnabled = pflag.Bool("ebpf-events-stdio-exporter-enabled", false, "Export ebpf event to stdio")

cmd/agent/daemon/state/events_pipeline.go

@@ -149,6 +149,13 @@ func (c *Controller) toProtoEvent(e *ebpftypes.Event) *castpb.Event {
 		event.Data = &castpb.Event_File{
 			File: &castpb.File{Path: args.Path},
 		}
+	case ebpftypes.NetPacketSSHBaseArgs:
+		event.EventType = castpb.EventType_EVENT_SSH
+		sshEvent := args.Payload
+		sshEvent.FlowDirection = convertFlowDirection(e.Context.GetFlowDirection())
+		event.Data = &castpb.Event_Ssh{
+			Ssh: sshEvent,
+		}
 	}
 
 	if event.EventType == 0 {

e2e/e2e.go

@@ -661,6 +661,9 @@ func (t *testCASTAIServer) validateEvents(ctx context.Context, timeout time.Dura
 			}
 			return nil
 		},
+		castaipb.EventType_EVENT_SSH: func(e *castaipb.Event) error {
+			return nil
+		},
 	}
 	expectedTypes := lo.KeyBy(lo.Keys(eventsValidators), func(item castaipb.EventType) castaipb.EventType {
 		return item

go.mod

@@ -37,6 +37,7 @@ require (
 	github.com/spf13/viper v1.18.2
 	github.com/stretchr/testify v1.9.0
 	github.com/testcontainers/testcontainers-go v0.30.0
+	github.com/tklauser/go-sysconf v0.3.12
 	github.com/vishvananda/netns v0.0.4
 	go.uber.org/atomic v1.11.0
 	go.uber.org/goleak v1.3.0
@@ -175,7 +176,6 @@ require (
 	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/spdx/tools-golang v0.5.4-0.20231108154018-0c0f394b5e1a // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/vishvananda/netlink v1.2.1-beta.2.0.20231127184239-0ced8385386a // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect

pkg/ebpftracer/c/headers/common/network.h

@@ -110,6 +110,7 @@ typedef enum net_packet {
     SUB_NET_PACKET_DNS = 1 << 6,
     SUB_NET_PACKET_HTTP = 1 << 7,
     SUB_NET_PACKET_SOCKS5 = 1 << 8,
+    SUB_NET_PACKET_SSH = 1 << 9,
 } net_packet_t;
 
 typedef struct net_event_contextmd {
@@ -244,13 +245,15 @@ struct {
 #define HEADERS 0           // no payload
 
 // when guessing by src/dst ports, declare at network.h
+#define TCP_PORT_SSH 22
 #define UDP_PORT_DNS 53
 #define TCP_PORT_DNS 53
 #define TCP_PORT_SOCKS5 1080
 
 // layer 7 parsing related constants
 #define http_min_len 7 // longest http command is "DELETE "
-#define socks5_min_len 4 // we try to match the socks5 request. this should
+#define socks5_min_len 4
+#define ssh_min_len 4 // the initial SSH messages always send `SSH-`
 
 // PROTOTYPES
 

pkg/ebpftracer/c/headers/types.h

@@ -50,6 +50,7 @@ enum event_id_e {
     NET_PACKET_DNS,
     NET_PACKET_HTTP,
     NET_PACKET_SOCKS5,
+    NET_PACKET_SSH,
     NET_PACKET_CAP_BASE,
     NET_CAPTURE_BASE,
     NET_FLOW_BASE,