diff --git a/rust/src/ssh/logger.rs b/rust/src/ssh/logger.rs index 0ddc7fffdf..ae8dcb9028 100644 --- a/rust/src/ssh/logger.rs +++ b/rust/src/ssh/logger.rs @@ -28,6 +28,12 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result if tx.cli_hdr.swver.len() > 0 { js.set_string_from_bytes("software_version", &tx.cli_hdr.swver)?; } + if tx.cli_hdr.hassh.len() > 0 { + js.set_string_from_bytes("hassh", &tx.cli_hdr.hassh)?; + } + if tx.cli_hdr.hassh_string.len() > 0 { + js.set_string_from_bytes("hassh.string", &tx.cli_hdr.hassh_string)?; + } js.close()?; } if tx.srv_hdr.protover.len() > 0 { @@ -36,6 +42,12 @@ fn log_ssh(tx: &SSHTransaction, js: &mut JsonBuilder) -> Result if tx.srv_hdr.swver.len() > 0 { js.set_string_from_bytes("software_version", &tx.srv_hdr.swver)?; } + if tx.srv_hdr.hassh.len() > 0 { + js.set_string_from_bytes("hassh", &tx.srv_hdr.hassh)?; + } + if tx.srv_hdr.hassh_string.len() > 0 { + js.set_string_from_bytes("hassh.string", &tx.srv_hdr.hassh_string)?; + } js.close()?; } return Ok(true); diff --git a/rust/src/ssh/ssh.rs b/rust/src/ssh/ssh.rs index 7f28fe750d..4bdfe97afb 100644 --- a/rust/src/ssh/ssh.rs +++ b/rust/src/ssh/ssh.rs @@ -606,3 +606,22 @@ pub extern "C" fn rs_ssh_enable_hassh() { pub extern "C" fn rs_ssh_hassh_is_enabled() -> bool { hassh_is_enabled() } + +#[no_mangle] +pub extern "C" fn rs_ssh_tx_get_log_condition( tx: *mut std::os::raw::c_void) -> bool { + let tx = cast_pointer!(tx, SSHTransaction); + + if rs_ssh_hassh_is_enabled() { + if tx.cli_hdr.flags == SSHConnectionState::SshStateFinished && + tx.srv_hdr.flags == SSHConnectionState::SshStateFinished { + return true; + } + } + else { + if tx.cli_hdr.flags == SSHConnectionState::SshStateBannerDone && + tx.srv_hdr.flags == SSHConnectionState::SshStateBannerDone { + return true; + } + } + return false; +} diff --git a/src/app-layer-ssh.c b/src/app-layer-ssh.c index 01ce4fd089..d61762eb4c 100644 --- a/src/app-layer-ssh.c +++ b/src/app-layer-ssh.c @@ -71,6 +71,11 @@ static int SSHRegisterPatternsForProtocolDetection(void) return 0; } +int SSHTxLogCondition(ThreadVars * tv, const Packet * p, void *state, void *tx, uint64_t tx_id) +{ + return rs_ssh_tx_get_log_condition(tx); +} + /** \brief Function to register the SSH protocol parsers and other functions */ void RegisterSSHParsers(void) diff --git a/src/app-layer-ssh.h b/src/app-layer-ssh.h index 119ae03283..8dbb3be817 100644 --- a/src/app-layer-ssh.h +++ b/src/app-layer-ssh.h @@ -28,5 +28,7 @@ void RegisterSSHParsers(void); void SSHParserRegisterTests(void); +int SSHTxLogCondition(ThreadVars *, const Packet *, void *state, void *tx, uint64_t tx_id); + #endif /* __APP_LAYER_SSH_H__ */ diff --git a/src/output-json-ssh.c b/src/output-json-ssh.c index 5519c56741..6f5ad4d203 100644 --- a/src/output-json-ssh.c +++ b/src/output-json-ssh.c @@ -225,16 +225,14 @@ static OutputInitResult OutputSshLogInitSub(ConfNode *conf, OutputCtx *parent_ct void JsonSshLogRegister (void) { /* register as separate module */ - OutputRegisterTxModuleWithProgress(LOGGER_JSON_SSH, + OutputRegisterTxModuleWithCondition(LOGGER_JSON_SSH, "JsonSshLog", "ssh-json-log", OutputSshLogInit, ALPROTO_SSH, JsonSshLogger, - SshStateBannerDone, SshStateBannerDone, - JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL); + SSHTxLogCondition, JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL); /* also register as child of eve-log */ - OutputRegisterTxSubModuleWithProgress(LOGGER_JSON_SSH, + OutputRegisterTxSubModuleWithCondition(LOGGER_JSON_SSH, "eve-log", "JsonSshLog", "eve-log.ssh", OutputSshLogInitSub, ALPROTO_SSH, JsonSshLogger, - SshStateBannerDone, SshStateBannerDone, - JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL); + SSHTxLogCondition, JsonSshLogThreadInit, JsonSshLogThreadDeinit, NULL); } diff --git a/src/output-lua.c b/src/output-lua.c index 283d5f72e0..4c1cfe9ba1 100644 --- a/src/output-lua.c +++ b/src/output-lua.c @@ -823,8 +823,7 @@ static OutputInitResult OutputLuaLogInit(ConfNode *conf) } else if (opts.alproto == ALPROTO_SSH) { om->TxLogFunc = LuaTxLogger; om->alproto = ALPROTO_SSH; - om->tc_log_progress = SshStateBannerDone; - om->ts_log_progress = SshStateBannerDone; + om->TxLogCondition = SSHTxLogCondition; AppLayerParserRegisterLogger(IPPROTO_TCP, ALPROTO_SSH); } else if (opts.alproto == ALPROTO_SMTP) { om->TxLogFunc = LuaTxLogger;