Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decouple stream bypass from TLS encrypted bypass v6 #12082

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Decouple stream bypass from TLS encrypted bypass v6 #12082

wants to merge 4 commits into from

Conversation

lukashino
Copy link
Contributor

Following up on #11886

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6788

Describe changes:
v6

  • rebased

v5

  • rebased
  • added upgrade section
  • fixed docs - Thanks Juliana
  • SV tests should pass now

v4

  • rebased
  • changed SSH bypass defaults to hopefully be in sync with the previous settings

v3

  • added SSH app-layer option encryption-handling allowing to choose whether to continue inspection on SSH once it turns encrypted
  • added SV tests
  • minor docs updates

SV_BRANCH=OISF/suricata-verify#2114

Lukas Sismis and others added 4 commits November 3, 2024 18:52
@lukashino
ssh: add option to select behavior of encrypted parts
d1a2bab 
Ticket: 6788
@msdean @lukashino
stream: decouple stream.bypass dependency from tls bypass
b22120f 
Decouple app.protocols.tls.encryption-handling and stream.bypass.
There's no apparent reason why encrypted TLS bypass traffic should
depend on stream bypass, as these are unrelated features.

Ticket: 6788
@lukashino
doc: remove trailing spaces in DPDK section
9fcdcd3
@lukashino
ssh: sync the hassh setting with the defaults
d7c2ab6
@lukashino lukashino mentioned this pull request Nov 3, 2024
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 3, 2024

NOTE: This PR may contain new authors.

@codecov Codecov
Copy link

codecov bot commented Nov 3, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 89.28571% with 3 lines in your changes missing coverage. Please review.

Project coverage is 83.37%. Comparing base (b1e7917) to head (d7c2ab6).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12082      +/-   ##
==========================================
- Coverage   83.37%   83.37%   -0.01%     
==========================================
  Files         910      910              
  Lines      257556   257579      +23     
==========================================
+ Hits       214748   214762      +14     
- Misses      42808    42817       +9
Flag Coverage Δ
fuzzcorpus 61.52% <71.42%> (-0.02%) ⬇️
livemode 19.41% <32.14%> (+<0.01%) ⬆️
pcap 44.46% <71.42%> (-0.04%) ⬇️
suricata-verify 62.77% <89.28%> (+0.02%) ⬆️
unittests 59.36% <67.85%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@suricata-qa
Copy link

Information:

ERROR: QA failed on SURI_TLPR1_alerts_cmp.

field baseline test %
SURI_TLPR1_stats_chk
.app_layer.flow.dcerpc_tcp 40 42 105.0%

Pipeline 23244

@lukashino
Copy link
Contributor Author

^ This should get a rerun, kinda weird that it didn't bypass dcerpc where that should not be affected by the PR at all - my assumption is that dcerpc_tcp runs unencrypted.

victorjulien
victorjulien requested changes Nov 4, 2024
View reviewed changes
Copy link
Member

@victorjulien victorjulien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see inline

rust/src/ssh/ssh.rs
@@ -549,6 +561,16 @@ pub extern "C" fn rs_ssh_hassh_is_enabled() -> bool {
hassh_is_enabled()
}

#[no_mangle]
pub extern "C" fn rs_ssh_enable_bypass() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

old style "style". New is "SCSshEnableBypass", so our C style with SC prefix. This applies only to the global functions.

rust/src/ssh/ssh.rs

fn hassh_is_enabled() -> bool {
HASSH_ENABLED.load(Ordering::Relaxed)
}

fn enc_bypass_is_enabled() -> bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: here and beyond, lets replace enc with encrypt or encryption for readability.

src/app-layer-ssh.c
bool enc_bypass = SSH_CONFIG_DEFAULT_BYPASS;
ConfNode *enc_handle = ConfGetNode("app-layer.protocols.ssh.encryption-handling");
if (enc_handle != NULL && enc_handle->val != NULL) {
if (strcmp(enc_handle->val, "full") == 0) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"full" to me means APP_LAYER_PARSER_NO_INSPECTION isn't set either. It just means full processing and inspection of the rest of the flow even if encrypted phase has started

suricata.yaml.in
# What to do when the encrypted communications start:
# - bypass: stop processing this flow as much as possible.
# Offload flow bypass to kernel or hardware if possible.
# - full: keep tracking and inspection as normal
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not what the code does, see above

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 23247

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@victorjulien victorjulien victorjulien requested changes

@catenacyber catenacyber Awaiting requested review from catenacyber catenacyber is a code owner

@jufajardini jufajardini Awaiting requested review from jufajardini jufajardini is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lukashino @suricata-qa @victorjulien @msdean