OISF · lukashino · Sep 19, 2024 · Jun 27, 2023 · Sep 19, 2024 · Sep 19, 2024
@@ -25,11 +25,16 @@ use crate::frames::Frame;
 
 static mut ALPROTO_SSH: AppProto = ALPROTO_UNKNOWN;
 static HASSH_ENABLED: AtomicBool = AtomicBool::new(false);
+static BYPASS_ENABLED: AtomicBool = AtomicBool::new(false);
 
 fn hassh_is_enabled() -> bool {
     HASSH_ENABLED.load(Ordering::Relaxed)
 }
 
+fn enc_bypass_is_enabled() -> bool {
+    BYPASS_ENABLED.load(Ordering::Relaxed)
+}
+
 #[derive(AppLayerFrameType)]
 pub enum SshFrameType {
     RecordHdr,
@@ -197,11 +202,18 @@ impl SSHState {
                                 unsafe {
                                     AppLayerParserStateSetFlag(
                                         pstate,
-                                        APP_LAYER_PARSER_NO_INSPECTION
-                                        | APP_LAYER_PARSER_NO_REASSEMBLY
-                                        | APP_LAYER_PARSER_BYPASS_READY,
+                                        APP_LAYER_PARSER_NO_INSPECTION,
                                     );
                                 }
+                                if enc_bypass_is_enabled() {
+                                    unsafe {
+                                        AppLayerParserStateSetFlag(
+                                            pstate,
+                                            APP_LAYER_PARSER_NO_REASSEMBLY
+                                            | APP_LAYER_PARSER_BYPASS_READY,
+                                        );
+                                    }
+                                }
                             }
                         }
                         _ => {}
@@ -549,6 +561,16 @@ pub extern "C" fn rs_ssh_hassh_is_enabled() -> bool {
     hassh_is_enabled()
 }
 
+#[no_mangle]
+pub extern "C" fn rs_ssh_enable_bypass() {
+    BYPASS_ENABLED.store(true, Ordering::Relaxed)
+}
+
+#[no_mangle]
+pub extern "C" fn rs_ssh_enc_bypass_is_enabled() -> bool {
+    enc_bypass_is_enabled()
+}
+
 #[no_mangle]
 pub unsafe extern "C" fn rs_ssh_tx_get_log_condition( tx: *mut std::os::raw::c_void) -> bool {
     let tx = cast_pointer!(tx, SSHTransaction);

@@ -55,6 +55,8 @@
 
 /* HASSH fingerprints are disabled by default */
 #define SSH_CONFIG_DEFAULT_HASSH false
+/* Bypassing the encrypted part of the connections */
+#define SSH_CONFIG_DEFAULT_BYPASS true
 
 static int SSHRegisterPatternsForProtocolDetection(void)
 {
@@ -103,6 +105,23 @@ void RegisterSSHParsers(void)
         if (RunmodeIsUnittests() || enable_hassh) {
             rs_ssh_enable_hassh();
         }
+
+        bool enc_bypass = SSH_CONFIG_DEFAULT_BYPASS;
+        ConfNode *enc_handle = ConfGetNode("app-layer.protocols.ssh.encryption-handling");
+        if (enc_handle != NULL && enc_handle->val != NULL) {
+            if (strcmp(enc_handle->val, "full") == 0) {
+                enc_bypass = false;
+            } else if (strcmp(enc_handle->val, "bypass") == 0) {
+                enc_bypass = true;
+            } else {
+                enc_bypass = SSH_CONFIG_DEFAULT_BYPASS;
+            }
+        }
+
+        if (enc_bypass) {
+            SCLogConfig("ssh: bypass on the start of encryption enabled");
+            rs_ssh_enable_bypass();
+        }
     }
 
     SCLogDebug("Registering Rust SSH parser.");

@@ -944,6 +944,13 @@ app-layer:
     ssh:
       enabled: yes
       #hassh: yes
+
+      # What to do when the encrypted communications start:
+      # - bypass:  stop processing this flow as much as possible.
+      #            Offload flow bypass to kernel or hardware if possible.
+      # - full:    keep tracking and inspection as normal
+      #
+      # encryption-handling: full
     doh2:
       enabled: yes
     http2: