From 54cc752cf903bf214a0df3b822fe0d7871ace388 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 13 Jan 2026 21:27:15 +0100 Subject: [PATCH] ssh: hassh can be truly disabled Rules will not re-enable it Ticket: 8223 --- doc/userguide/configuration/suricata-yaml.rst | 8 ++++++++ doc/userguide/upgrade.rst | 5 +++++ rust/src/ssh/ssh.rs | 10 +++++++++- src/app-layer-ssh.c | 1 + suricata.yaml.in | 2 +- 5 files changed, 24 insertions(+), 2 deletions(-) diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst index 5af34b139a..0047d2a24b 100644 --- a/doc/userguide/configuration/suricata-yaml.rst +++ b/doc/userguide/configuration/suricata-yaml.rst @@ -1989,6 +1989,14 @@ present, and ``encryption-handling`` is not, ``false`` is interpreted as ``encryption-handling: track-only`` and ``true`` is interpreted as ``encryption-handling: bypass``. +SSH +~~~ + +Besides ``encryption-handling``, ssh parser offers the ``hassh`` option +with 3 values +- yes : enables hassh logging +- auto : hassh be enabled if rules use hassh keywords +- no : disables hassh and will refuse to load rules that use hassh keywords Modbus ~~~~~~ diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst index 054e3eb386..436151fe6a 100644 --- a/doc/userguide/upgrade.rst +++ b/doc/userguide/upgrade.rst @@ -73,6 +73,11 @@ Other Changes See :ref:`Hyperscan caching configuration ` for more information. +- The ``no`` option in ``app-layer.protocols.ssh.hassh`` is now + really enforced and there will be no hassh computation + even if rules try to use it. + + Upgrading to 8.0.1 ------------------ diff --git a/rust/src/ssh/ssh.rs b/rust/src/ssh/ssh.rs index 275c1c2d0d..bcf23b9d76 100644 --- a/rust/src/ssh/ssh.rs +++ b/rust/src/ssh/ssh.rs @@ -33,6 +33,7 @@ use suricata_sys::sys::{ pub(super) static mut ALPROTO_SSH: AppProto = ALPROTO_UNKNOWN; static HASSH_ENABLED: AtomicBool = AtomicBool::new(false); +static HASSH_DISABLED: AtomicBool = AtomicBool::new(false); static mut ENCRYPTION_BYPASS_ENABLED: EncryptionHandling = EncryptionHandling::ENCRYPTION_HANDLING_TRACK_ONLY; @@ -585,7 +586,9 @@ pub unsafe extern "C" fn SCRegisterSshParser() { #[no_mangle] pub extern "C" fn SCSshEnableHassh() { - HASSH_ENABLED.store(true, Ordering::Relaxed) + if !HASSH_DISABLED.load(Ordering::Relaxed) { + HASSH_ENABLED.store(true, Ordering::Relaxed) + } } #[no_mangle] @@ -593,6 +596,11 @@ pub extern "C" fn SCSshHasshIsEnabled() -> bool { hassh_is_enabled() } +#[no_mangle] +pub extern "C" fn SCSshDisableHassh() { + HASSH_DISABLED.store(true, Ordering::Relaxed) +} + #[no_mangle] pub extern "C" fn SCSshEnableBypass(mode: EncryptionHandling) { unsafe { diff --git a/src/app-layer-ssh.c b/src/app-layer-ssh.c index 8742f0ef07..53460791a8 100644 --- a/src/app-layer-ssh.c +++ b/src/app-layer-ssh.c @@ -96,6 +96,7 @@ void RegisterSSHParsers(void) enable_hassh = SSH_CONFIG_DEFAULT_HASSH; } else if (SCConfValIsFalse(strval)) { enable_hassh = SSH_CONFIG_DEFAULT_HASSH; + SCSshDisableHassh(); } else if (SCConfValIsTrue(strval)) { enable_hassh = true; } diff --git a/suricata.yaml.in b/suricata.yaml.in index d7ce7c2cc8..15339656f9 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -993,7 +993,7 @@ app-layer: #enabled: yes ssh: enabled: yes - # hassh: no + # hassh: auto # What to do when the encrypted communications start: # - track-only: keep tracking but stop inspection (default)