From 00cc3c7374feaf735a45fd5ecffa30bb59517544 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 24 Jul 2020 10:49:20 +0200 Subject: [PATCH] eve/ssh: change hassh logging format Elastic search didn't accept the 'hassh' and 'hassh.string'. It would see the first 'hassh' as a string and split the second key into a object 'hassh' with a string member 'string'. So two different types for 'hassh', so it rejected it. This patch mimics the ja3(s) logging by creating a 'hassh' object with 2 members: 'hash', which holds the md5 representation, and 'string' which holds the string representation. --- doc/userguide/output/eve/eve-json-format.rst | 14 ++++++---- rust/src/ssh/logger.rs | 28 +++++++++++++------- 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/doc/userguide/output/eve/eve-json-format.rst b/doc/userguide/output/eve/eve-json-format.rst index 0b58c1df8e..823c079a71 100644 --- a/doc/userguide/output/eve/eve-json-format.rst +++ b/doc/userguide/output/eve/eve-json-format.rst @@ -980,7 +980,7 @@ Fields * "proto_version": The protocol version transported with the ssh protocol (1.x, 2.x) * "software_version": The software version used by end user -* "hassh": MD5 of hassh algorithms of client or server +* "hassh.hash": MD5 of hassh algorithms of client or server * "hassh.string": hassh algorithms of client or server Hassh must be enabled in the Suricata config file (set 'app-layer.protocols.ssh.hassh' to 'yes'). @@ -993,14 +993,18 @@ Example of SSH logging: "client": { "proto_version": "2.0", "software_version": "OpenSSH_6.7", - "hassh": "ec7378c1a92f5a8dde7e8b7a1ddf33d1", - "hassh.string": "curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c", + "hassh": { + "hash": "ec7378c1a92f5a8dde7e8b7a1ddf33d1", + "string": "curve25519-sha256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c", + } }, "server": { "proto_version": "2.0", "software_version": "OpenSSH_6.7", - "hassh": "ec7378c1a92f5a8dde7e8b7a1ddf33d1", - "hassh.string": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256", + "hassh": { + "hash": "ec7378c1a92f5a8dde7e8b7a1ddf33d1", + "string": "curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256", + } } } diff --git a/rust/src/ssh/logger.rs b/rust/src/ssh/logger.rs index ae8dcb9028..7f59651463 100644 --- a/rust/src/ssh/logger.rs +++ b/rust/src/ssh/logger.rs @@ -28,11 +28,15 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result if tx.cli_hdr.swver.len() > 0 { js.set_string_from_bytes("software_version", &tx.cli_hdr.swver)?; } - if tx.cli_hdr.hassh.len() > 0 { - js.set_string_from_bytes("hassh", &tx.cli_hdr.hassh)?; - } - if tx.cli_hdr.hassh_string.len() > 0 { - js.set_string_from_bytes("hassh.string", &tx.cli_hdr.hassh_string)?; + if tx.cli_hdr.hassh.len() > 0 || tx.cli_hdr.hassh_string.len() > 0 { + js.open_object("hassh")?; + if tx.cli_hdr.hassh.len() > 0 { + js.set_string_from_bytes("hash", &tx.cli_hdr.hassh)?; + } + if tx.cli_hdr.hassh_string.len() > 0 { + js.set_string_from_bytes("string", &tx.cli_hdr.hassh_string)?; + } + js.close()?; } js.close()?; } @@ -42,11 +46,15 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result if tx.srv_hdr.swver.len() > 0 { js.set_string_from_bytes("software_version", &tx.srv_hdr.swver)?; } - if tx.srv_hdr.hassh.len() > 0 { - js.set_string_from_bytes("hassh", &tx.srv_hdr.hassh)?; - } - if tx.srv_hdr.hassh_string.len() > 0 { - js.set_string_from_bytes("hassh.string", &tx.srv_hdr.hassh_string)?; + if tx.srv_hdr.hassh.len() > 0 || tx.srv_hdr.hassh_string.len() > 0 { + js.open_object("hassh")?; + if tx.srv_hdr.hassh.len() > 0 { + js.set_string_from_bytes("hash", &tx.srv_hdr.hassh)?; + } + if tx.srv_hdr.hassh_string.len() > 0 { + js.set_string_from_bytes("string", &tx.srv_hdr.hassh_string)?; + } + js.close()?; } js.close()?; }