eve: add Hassh fields to SSH JSON logger and add ssh log condition

rust/src/ssh/logger.rs

@@ -28,6 +28,12 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result<bool, JsonError>
         if tx.cli_hdr.swver.len() > 0 {
             js.set_string_from_bytes("software_version", &tx.cli_hdr.swver)?;
         }
+        if tx.cli_hdr.hassh.len() > 0 {
+            js.set_string_from_bytes("hassh", &tx.cli_hdr.hassh)?;
+        }
+        if tx.cli_hdr.hassh_string.len() > 0 {
+            js.set_string_from_bytes("hassh.string", &tx.cli_hdr.hassh_string)?;
+        }
         js.close()?;
     }
     if tx.srv_hdr.protover.len() > 0 {
@@ -36,6 +42,12 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result<bool, JsonError>
         if tx.srv_hdr.swver.len() > 0 {
             js.set_string_from_bytes("software_version", &tx.srv_hdr.swver)?;
         }
+        if tx.srv_hdr.hassh.len() > 0 {
+            js.set_string_from_bytes("hassh", &tx.srv_hdr.hassh)?;
+        }
+        if tx.srv_hdr.hassh_string.len() > 0 {
+            js.set_string_from_bytes("hassh.string", &tx.srv_hdr.hassh_string)?;
+        }
         js.close()?;
     }
     return Ok(true);

rust/src/ssh/ssh.rs

@@ -606,3 +606,22 @@ pub extern "C" fn rs_ssh_enable_hassh() {
 pub extern "C" fn rs_ssh_hassh_is_enabled() -> bool {
     hassh_is_enabled()
 }
+
+#[no_mangle]
+pub extern "C" fn rs_ssh_tx_get_log_condition( tx: *mut std::os::raw::c_void) -> bool {
+    let tx = cast_pointer!(tx, SSHTransaction);
+    
+    if rs_ssh_hassh_is_enabled() {
+        if  tx.cli_hdr.flags == SSHConnectionState::SshStateFinished &&
+            tx.srv_hdr.flags == SSHConnectionState::SshStateFinished {
+            return true; 
+        }
+    }
+    else {
+        if  tx.cli_hdr.flags == SSHConnectionState::SshStateBannerDone && 
+            tx.srv_hdr.flags == SSHConnectionState::SshStateBannerDone {
+            return true;
+        }
+    }
+    return false;
+}

src/app-layer-ssh.c

@@ -71,6 +71,11 @@ static int SSHRegisterPatternsForProtocolDetection(void)
     return 0;
 }
 
+int SSHTxLogCondition(ThreadVars * tv, const Packet * p, void *state, void *tx, uint64_t tx_id)
+{
+    return rs_ssh_tx_get_log_condition(tx);
+}
+
 /** \brief Function to register the SSH protocol parsers and other functions
  */
 void RegisterSSHParsers(void)

src/app-layer-ssh.h

@@ -28,5 +28,7 @@
 void RegisterSSHParsers(void);
 void SSHParserRegisterTests(void);
 
+int SSHTxLogCondition(ThreadVars *, const Packet *, void *state, void *tx, uint64_t tx_id);
+
 #endif /* __APP_LAYER_SSH_H__ */
 

src/output-json-ssh.c

@@ -225,16 +225,14 @@ static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ct
 void JsonSshLogRegister (void)
 {
     /* register as separate module */
-    OutputRegisterTxModuleWithProgress(LOGGER_JSON_SSH,
+    OutputRegisterTxModuleWithCondition(LOGGER_JSON_SSH,
         "JsonSshLog", "ssh-json-log",
         OutputSshLogInit, ALPROTO_SSH, JsonSshLogger,
-        SshStateBannerDone, SshStateBannerDone,
-        JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
+        SSHTxLogCondition, JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
 
     /* also register as child of eve-log */
-    OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_SSH,
+    OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_SSH,
         "eve-log", "JsonSshLog", "eve-log.ssh",
         OutputSshLogInitSub, ALPROTO_SSH, JsonSshLogger,
-        SshStateBannerDone, SshStateBannerDone,
-        JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
+        SSHTxLogCondition, JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL);
 }

src/output-lua.c

@@ -823,8 +823,7 @@ static OutputInitResult OutputLuaLogInit(ConfNode *conf)
         } else if (opts.alproto == ALPROTO_SSH) {
             om->TxLogFunc = LuaTxLogger;
             om->alproto = ALPROTO_SSH;
-            om->tc_log_progress = SshStateBannerDone;
-            om->ts_log_progress = SshStateBannerDone;
+            om->TxLogCondition = SSHTxLogCondition;
             AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH);
         } else if (opts.alproto == ALPROTO_SMTP) {
             om->TxLogFunc = LuaTxLogger;