eve/ssh: change hassh logging format

Elastic search didn't accept the 'hassh' and 'hassh.string'. It would
see the first 'hassh' as a string and split the second key into a
object 'hassh' with a string member 'string'. So two different types
for 'hassh', so it rejected it.

This patch mimics the ja3(s) logging by creating a 'hassh' object
with 2 members: 'hash', which holds the md5 representation, and
'string' which holds the string representation.

doc/userguide/output/eve/eve-json-format.rst

@@ -980,7 +980,7 @@ Fields
 
 * "proto_version": The protocol version transported with the ssh protocol (1.x, 2.x)
 * "software_version": The software version used by end user
-* "hassh": MD5 of hassh algorithms of client or server
+* "hassh.hash": MD5 of hassh algorithms of client or server
 * "hassh.string": hassh algorithms of client or server
 
 Hassh must be enabled in the Suricata config file (set 'app-layer.protocols.ssh.hassh' to 'yes').
@@ -993,14 +993,18 @@ Example of SSH logging:
     "client": {
         "proto_version": "2.0",
         "software_version": "OpenSSH_6.7",
-        "hassh": "ec7378c1a92f5a8dde7e8b7a1ddf33d1",
-        "hassh.string": "curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c",
+        "hassh": {
+            "hash": "ec7378c1a92f5a8dde7e8b7a1ddf33d1",
+            "string": "curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c",
+        }
      },
     "server": {
         "proto_version": "2.0",
         "software_version": "OpenSSH_6.7",
-        "hassh": "ec7378c1a92f5a8dde7e8b7a1ddf33d1",
-        "hassh.string": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256",
+        "hassh": {
+            "hash": "ec7378c1a92f5a8dde7e8b7a1ddf33d1",
+            "string": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256",
+        }
      }
   }
 

rust/src/ssh/logger.rs

@@ -28,11 +28,15 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result<bool, JsonError>
         if tx.cli_hdr.swver.len() > 0 {
             js.set_string_from_bytes("software_version", &tx.cli_hdr.swver)?;
         }
-        if tx.cli_hdr.hassh.len() > 0 {
-            js.set_string_from_bytes("hassh", &tx.cli_hdr.hassh)?;
-        }
-        if tx.cli_hdr.hassh_string.len() > 0 {
-            js.set_string_from_bytes("hassh.string", &tx.cli_hdr.hassh_string)?;
+        if tx.cli_hdr.hassh.len() > 0 || tx.cli_hdr.hassh_string.len() > 0 {
+            js.open_object("hassh")?;
+            if tx.cli_hdr.hassh.len() > 0 {
+                js.set_string_from_bytes("hash", &tx.cli_hdr.hassh)?;
+            }
+            if tx.cli_hdr.hassh_string.len() > 0 {
+                js.set_string_from_bytes("string", &tx.cli_hdr.hassh_string)?;
+            }
+            js.close()?;
         }
         js.close()?;
     }
@@ -42,11 +46,15 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result<bool, JsonError>
         if tx.srv_hdr.swver.len() > 0 {
             js.set_string_from_bytes("software_version", &tx.srv_hdr.swver)?;
         }
-        if tx.srv_hdr.hassh.len() > 0 {
-            js.set_string_from_bytes("hassh", &tx.srv_hdr.hassh)?;
-        }
-        if tx.srv_hdr.hassh_string.len() > 0 {
-            js.set_string_from_bytes("hassh.string", &tx.srv_hdr.hassh_string)?;
+        if tx.srv_hdr.hassh.len() > 0 || tx.srv_hdr.hassh_string.len() > 0 {
+            js.open_object("hassh")?;
+            if tx.srv_hdr.hassh.len() > 0 {
+                js.set_string_from_bytes("hash", &tx.srv_hdr.hassh)?;
+            }
+            if tx.srv_hdr.hassh_string.len() > 0 {
+                js.set_string_from_bytes("string", &tx.srv_hdr.hassh_string)?;
+            }
+            js.close()?;
         }
         js.close()?;
     }