ssh: hassh can be truly disabled

Rules will not re-enable it Ticket: 8223
3 months ago · 54cc752cf9
parent 458211dcf2
commit 54cc752cf9
5 changed files with 24 additions and 2 deletions
--- a/doc/userguide/configuration/suricata-yaml.rst
+++ b/doc/userguide/configuration/suricata-yaml.rst
@ -1989,6 +1989,14 @@ present, and ``encryption-handling`` is not, ``false`` is interpreted as
 ``encryption-handling: track-only`` and ``true`` is interpreted as
 ``encryption-handling: bypass``.

+SSH
+~~~
+
+Besides ``encryption-handling``, ssh parser offers the ``hassh`` option
+with 3 values
+- yes : enables hassh logging
+- auto : hassh be enabled if rules use hassh keywords
+- no : disables hassh and will refuse to load rules that use hassh keywords

 Modbus
 ~~~~~~
--- a/doc/userguide/upgrade.rst
+++ b/doc/userguide/upgrade.rst
@ -73,6 +73,11 @@ Other Changes
  See :ref:`Hyperscan caching configuration
  <hyperscan-cache-configuration>` for more information.

+- The ``no`` option in ``app-layer.protocols.ssh.hassh`` is now
+  really enforced and there will be no hassh computation
+  even if rules try to use it.
+
+
 Upgrading to 8.0.1
 ------------------

--- a/rust/src/ssh/ssh.rs
+++ b/rust/src/ssh/ssh.rs
@ -33,6 +33,7 @@ use suricata_sys::sys::{

 pub(super) static mut ALPROTO_SSH: AppProto = ALPROTO_UNKNOWN;
 static HASSH_ENABLED: AtomicBool = AtomicBool::new(false);
+static HASSH_DISABLED: AtomicBool = AtomicBool::new(false);

 static mut ENCRYPTION_BYPASS_ENABLED: EncryptionHandling =
    EncryptionHandling::ENCRYPTION_HANDLING_TRACK_ONLY;
@ -585,7 +586,9 @@ pub unsafe extern "C" fn SCRegisterSshParser() {

 #[no_mangle]
 pub extern "C" fn SCSshEnableHassh() {
-    HASSH_ENABLED.store(true, Ordering::Relaxed)
+    if !HASSH_DISABLED.load(Ordering::Relaxed) {
+        HASSH_ENABLED.store(true, Ordering::Relaxed)
+    }
 }

 #[no_mangle]
@ -593,6 +596,11 @@ pub extern "C" fn SCSshHasshIsEnabled() -> bool {
    hassh_is_enabled()
 }

+#[no_mangle]
+pub extern "C" fn SCSshDisableHassh() {
+    HASSH_DISABLED.store(true, Ordering::Relaxed)
+}
+
 #[no_mangle]
 pub extern "C" fn SCSshEnableBypass(mode: EncryptionHandling) {
    unsafe {
--- a/src/app-layer-ssh.c
+++ b/src/app-layer-ssh.c
@ -96,6 +96,7 @@ void RegisterSSHParsers(void)
            enable_hassh = SSH_CONFIG_DEFAULT_HASSH;
        } else if (SCConfValIsFalse(strval)) {
            enable_hassh = SSH_CONFIG_DEFAULT_HASSH;
+            SCSshDisableHassh();
        } else if (SCConfValIsTrue(strval)) {
            enable_hassh = true;
        }
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@ -993,7 +993,7 @@ app-layer:
      #enabled: yes
    ssh:
      enabled: yes
-      # hassh: no
+      # hassh: auto

      # What to do when the encrypted communications start:
      # - track-only: keep tracking but stop inspection (default)