Remove hassh module from Suricata 6.0.9

Hello,

Suricata 6.0.9 is chosen to be the IDS engine in our project, but the IP team has big concerns on hassh module which is considered as a risk.

It turned out if we want to use Suricata we have to remove the hassh IP code, so my question is if there is no way to do it during compiling, which part of the code should i change/remove in Suricata source code? What is the risk? I am really worried about the quality and stability if we do so.

hassh isn’t configurable and thus, Suricata will also compile it in.

The application layer protocol parser is configurable (app-layer.protocols.ssh.hassh with a default value of “not enabled”, however.

That’s right

The current situation is we really want to remove it from code level, which means to modify the Suricata code

Based on my knowledge after code walk through, i think the core part is implemented via rust language, right? Maybe generate_hassh() in parser.rs is the one? If so we plan to set an empty value for the hassh_string and return, is that ok and secure? Thanks in advance!

The answer depends on what you’re trying to do:

  • Disallow the hassh rule keywords?
  • Disable hassh related parsing?

We prefer to disable hassh related parsing code. Actually maybe not the whole part, just the core code IP related

So is it ok if we just change generate_hassh()? I think if we skip calculating hash string, then we are not violating the IP

In what way would the IP be violated, especially when it’s BSD3 clause.
Depending on the plan you might be more concerned about other license parts, especially if you plan to change parts of the code.

The IP department in our project considered the hassh feature in Suricata as a risk. But no too many details

We only have 2 options, give Suricata up or remove the hassh code (calculate the hassh string process) from the open source code. Meanwhile we are ready to deal with the license part, it’s ok to open the source

At this point I think you should just patch it out locally, w/o more justification I’m not interested in making this optional.

OK, great! So the point is whether generate_hassh() is the function I should remove or change? Could you please give me a clear answer so I can move forward, thanks!

Make sure that hassh_is_enabled() always returns false

Thank you so much! That’s helpful :grinning: