18.3.12. SSH

SSH transaction details are exposes to Lua scripts with the suricata.ssh library, For example:

local ssh = require("suricata.ssh")

If you want to use hassh, you can either set suricata.yaml option app-layer.protocols.ssh.hassh to true, or specify it in the init function of your lua script by calling ssh.enable_hassh():

function init (args)
  ssh.enable_hassh()
  return {}
end

For use in rule matching, the rule must hook into a SSH transaction state. Available states are listed in Hooks. For example:

alert ssh:response_banner_done any any -> any any (...

18.3.12.1. Setup

If your purpose is to create a logging script, initialize the buffer as:

function init (args)
   local needs = {}
   return needs
end

If you are going to use the script for rule matching, choose one of the available SSH buffers listed in Lua Scripting for Detection and follow the pattern:

function init (args)
   local needs = {}
   return needs
end

18.3.12.1.1. Transaction

SSH is transaction based, and the current transaction must be obtained before use:

local tx, err = ssh.get_tx()
if tx == err then
    print(err)
end

All other functions are methods on the transaction table.

18.3.12.1.2. Transaction Methods

18.3.12.2. `server_proto()`

Get the server_proto value as a string.

Example:

local tx = ssh.get_tx()
local proto = tx:server_proto();
print (proto)

18.3.12.3. `client_proto()`

Get the client_proto value as a string.

Example:

local tx = ssh.get_tx()
local proto = tx:client_proto();
print (proto)

18.3.12.4. `server_software()`

Get the server_software value as a string.

Example:

local tx = ssh.get_tx()
local software = tx:server_software();
print (software)

18.3.12.5. `client_software()`

Get the client_software value as a string.

Example:

local tx = ssh.get_tx()
local software = tx:client_software();
print (software)

18.3.12.6. `client_hassh()`

Should be used with ssh.enable_hassh().

Get MD5 of hassh algorithms used by the client through client_hassh.

Example:

local tx = ssh.get_tx()
local h = tx:client_hassh();
print (h)

18.3.12.7. `client_hassh_string()`

Should be used with ssh.enable_hassh().

Get hassh algorithms used by the client through client_hassh_string.

Example:

local tx = ssh.get_tx()
local h = tx:client_hassh_string();
print (h)

18.3.12.8. `server_hassh()`

Should be used with ssh.enable_hassh().

Get MD5 of hassh algorithms used by the server through server_hassh.

Example:

local tx = ssh.get_tx()
local h = tx:server_hassh();
print (h)

18.3.12.9. `server_hassh_string()`

Should be used with ssh.enable_hassh().

Get hassh algorithms used by the server through server_hassh_string.

Example:

local tx = ssh.get_tx()
local h = tx:server_hassh_string();
print (h)

18.3.12. SSH

18.3.12.1. Setup

18.3.12.1.1. Transaction

18.3.12.1.2. Transaction Methods

18.3.12.2. server_proto()

18.3.12.3. client_proto()

18.3.12.4. server_software()

18.3.12.5. client_software()

18.3.12.6. client_hassh()

18.3.12.7. client_hassh_string()

18.3.12.8. server_hassh()

18.3.12.9. server_hassh_string()

18.3.12.2. `server_proto()`

18.3.12.3. `client_proto()`

18.3.12.4. `server_software()`

18.3.12.5. `client_software()`

18.3.12.6. `client_hassh()`

18.3.12.7. `client_hassh_string()`

18.3.12.8. `server_hassh()`

18.3.12.9. `server_hassh_string()`