Suricata 6.0.9 is chosen to be the IDS engine in our project, but the IP team has big concerns on hassh module which is considered as a risk.
It turned out if we want to use Suricata we have to remove the hassh IP code, so my question is if there is no way to do it during compiling, which part of the code should i change/remove in Suricata source code? What is the risk? I am really worried about the quality and stability if we do so.
The current situation is we really want to remove it from code level, which means to modify the Suricata code
Based on my knowledge after code walk through, i think the core part is implemented via rust language, right? Maybe generate_hassh() in parser.rs is the one? If so we plan to set an empty value for the hassh_string and return, is that ok and secure? Thanks in advance!
The IP department in our project considered the hassh feature in Suricata as a risk. But no too many details
We only have 2 options, give Suricata up or remove the hassh code (calculate the hassh string process) from the open source code. Meanwhile we are ready to deal with the license part, it’s ok to open the source