eve: add Hassh fields to SSH JSON logger and add ssh log condition

diff --git a/rust/src/ssh/logger.rs b/rust/src/ssh/logger.rs
index 0ddc7fffdf591b37130c2bcfef76cfbedbc23cbf..ae8dcb9028db579260b3eff0443e4ab75face173 100644 (file)
--- a/rust/src/ssh/logger.rs
+++ b/rust/src/ssh/logger.rs
@@ -28,6 +28,12 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result<bool, JsonError>
         if tx.cli_hdr.swver.len() > 0 {
             js.set_string_from_bytes("software_version", &tx.cli_hdr.swver)?;
         }
+        if tx.cli_hdr.hassh.len() > 0 {
+            js.set_string_from_bytes("hassh", &tx.cli_hdr.hassh)?;
+        }
+        if tx.cli_hdr.hassh_string.len() > 0 {
+            js.set_string_from_bytes("hassh.string", &tx.cli_hdr.hassh_string)?;
+        }
         js.close()?;
     }
     if tx.srv_hdr.protover.len() > 0 {
@@ -36,6 +42,12 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result<bool, JsonError>
         if tx.srv_hdr.swver.len() > 0 {
             js.set_string_from_bytes("software_version", &tx.srv_hdr.swver)?;
         }
+        if tx.srv_hdr.hassh.len() > 0 {
+            js.set_string_from_bytes("hassh", &tx.srv_hdr.hassh)?;
+        }
+        if tx.srv_hdr.hassh_string.len() > 0 {
+            js.set_string_from_bytes("hassh.string", &tx.srv_hdr.hassh_string)?;
+        }
         js.close()?;
     }
     return Ok(true);

diff --git a/rust/src/ssh/ssh.rs b/rust/src/ssh/ssh.rs
index 7f28fe750d0416446cc4703c15bf24dc7b6367cd..4bdfe97afbf6c094a99e960740ac9828dff007c1 100644 (file)
--- a/rust/src/ssh/ssh.rs
+++ b/rust/src/ssh/ssh.rs
@@ -606,3 +606,22 @@ pub extern "C" fn rs_ssh_enable_hassh() {
 pub extern "C" fn rs_ssh_hassh_is_enabled() -> bool {
     hassh_is_enabled()
 }
+
+#[no_mangle]
+pub extern "C" fn rs_ssh_tx_get_log_condition( tx: *mut std::os::raw::c_void) -> bool {
+    let tx = cast_pointer!(tx, SSHTransaction);
+    
+    if rs_ssh_hassh_is_enabled() {
+        if  tx.cli_hdr.flags == SSHConnectionState::SshStateFinished &&
+            tx.srv_hdr.flags == SSHConnectionState::SshStateFinished {
+            return true; 
+        }
+    }
+    else {
+        if  tx.cli_hdr.flags == SSHConnectionState::SshStateBannerDone && 
+            tx.srv_hdr.flags == SSHConnectionState::SshStateBannerDone {
+            return true;
+        }
+    }
+    return false;
+}

diff --git a/src/app-layer-ssh.c b/src/app-layer-ssh.c
index 01ce4fd08906c43ebb1894f4679a3b3d7dba5a4f..d61762eb4cb5e16f96d4506b4b283dcc9771eda3 100644 (file)
--- a/src/app-layer-ssh.c
+++ b/src/app-layer-ssh.c
@@ -71,6 +71,11 @@ static int SSHRegisterPatternsForProtocolDetection(void)
     return 0;
 }
 
+int SSHTxLogCondition(ThreadVars * tv, const Packet * p, void *state, void *tx, uint64_t tx_id)
+{
+    return rs_ssh_tx_get_log_condition(tx);
+}
+
 /** \brief Function to register the SSH protocol parsers and other functions
  */
 void RegisterSSHParsers(void)

diff --git a/src/app-layer-ssh.h b/src/app-layer-ssh.h
index 119ae032834802f3d88d1f065f0a393386ebbc6a..8dbb3be817ef0a6ecebddcd86a633428e9f4597e 100644 (file)
--- a/src/app-layer-ssh.h
+++ b/src/app-layer-ssh.h
@@ -28,5 +28,7 @@
 void RegisterSSHParsers(void);
 void SSHParserRegisterTests(void);
 
+int SSHTxLogCondition(ThreadVars *, const Packet *, void *state, void *tx, uint64_t tx_id);
+
 #endif /* __APP_LAYER_SSH_H__ */
 

diff --git a/src/output-json-ssh.c b/src/output-json-ssh.c
index 5519c5674199c1dd3fa7fcbe6a50ae7a5a150758..6f5ad4d203b3f1e62062d064689c6199351f3619 100644 (file)
--- a/src/output-json-ssh.c
+++ b/src/output-json-ssh.c
@@ -225,16 +225,14 @@ static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ct
 void JsonSshLogRegister (void)
 {
     /* register as separate module */
-    OutputRegisterTxModuleWithProgress(LOGGER_JSON_SSH,
+    OutputRegisterTxModuleWithCondition(LOGGER_JSON_SSH,
         "JsonSshLog", "ssh-json-log",
         OutputSshLogInit, ALPROTO_SSH, JsonSshLogger,
-        SshStateBannerDone, SshStateBannerDone,
-        JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
+        SSHTxLogCondition, JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
 
     /* also register as child of eve-log */
-    OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_SSH,
+    OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_SSH,
         "eve-log", "JsonSshLog", "eve-log.ssh",
         OutputSshLogInitSub, ALPROTO_SSH, JsonSshLogger,
-        SshStateBannerDone, SshStateBannerDone,
-        JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
+        SSHTxLogCondition, JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
 }

diff --git a/src/output-lua.c b/src/output-lua.c
index 283d5f72e0be5ba155b465917a1a15b8edaf1a66..4c1cfe9ba1af64d805dfbceb0829f2e21f067dcb 100644 (file)
--- a/src/output-lua.c
+++ b/src/output-lua.c
@@ -823,8 +823,7 @@ static OutputInitResult OutputLuaLogInit(ConfNode *conf)
         } else if (opts.alproto == ALPROTO_SSH) {
             om->TxLogFunc = LuaTxLogger;
             om->alproto = ALPROTO_SSH;
-            om->tc_log_progress = SshStateBannerDone;
-            om->ts_log_progress = SshStateBannerDone;
+            om->TxLogCondition = SSHTxLogCondition;
             AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH);
         } else if (opts.alproto == ALPROTO_SMTP) {
             om->TxLogFunc = LuaTxLogger;