Project

General

Profile

Actions

Feature #2698

closed

hassh and hasshServer for ssh fingerprinting

Added by Victor Julien almost 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

As discussed at Suricon2018, it would be great to have JA3 for non-https as well. This ticket is for SSH.

The SSH parser currently doesn't really inspect the handshake, so it will be a bit of work probably.


Related issues

Related to Task #2685: SuriCon 2018 brainstormNewVictor JulienActions
Blocked by Feature #3445: Convert SSH parser to RustClosedPhilippe AntoineActions
Actions #1

Updated by Victor Julien almost 3 years ago

  • Related to Task #2685: SuriCon 2018 brainstorm added
Actions #2

Updated by Mats Klepsland almost 3 years ago

The JA3 equivalent for SSH is called hassh (and hasshServer for JA3s):
https://github.com/salesforce/hassh

It would force me to learn some Rust, so it's a nice little project I think :)

Actions #3

Updated by Mats Klepsland almost 3 years ago

  • Subject changed from ja3/ja3s for ssh to hassh and hasshServer for ssh fingerprinting
Actions #4

Updated by Victor Julien over 1 year ago

Actions #5

Updated by Victor Julien over 1 year ago

  • Label Protocol added
Actions #6

Updated by Vadym Malakhatko over 1 year ago

Developed a fully functional version of "hassh" on top of Feature #3445 branch (ssh-rust-v12), will rebase after ssh conversion will be finished.
https://github.com/MalakhatkoVadym/suricata/tree/hassh-feature-2698-v1

Actions #8

Updated by Victor Julien about 1 year ago

  • Status changed from Assigned to Closed
  • Assignee changed from Mats Klepsland to Vadym Malakhatko
  • Target version changed from TBD to 6.0.0beta1
  • Effort deleted (medium)
  • Difficulty deleted (medium)
Actions

Also available in: Atom PDF