8.17. SSH Keywords
Suricata has several rule keywords to match on different elements of SSH connections.
8.17.1. Frames
The SSH parser supports the following frames:
ssh.record_hdr
ssh.record_data
ssh.record_pdu
These are header + data = pdu for SSH records, after the banner and before encryption. The SSH record header is 6 bytes long : 4 bytes length, 1 byte passing, 1 byte message code.
Example:
alert ssh any any -> any any (msg:"hdr frame new keys"; frame:ssh.record.hdr; content: "|15|"; endswith; bsize: 6; sid:2;)
This rule matches like Wireshark ssh.message_code == 0x15
.
8.17.2. ssh.proto
Match on the version of the SSH protocol used. ssh.proto
is a sticky buffer,
and can be used as a fast pattern. ssh.proto
replaces the previous buffer
name: ssh_proto
. You may continue to use the previous name, but it's
recommended that existing rules be converted to use the new name.
Format:
ssh.proto;
Example:
alert ssh any any -> any any (msg:"match SSH protocol version"; ssh.proto; content:"2.0"; sid:1000010;)
The example above matches on SSH connections with SSH version 2.0.
8.17.3. ssh.software
Match on the software string from the SSH banner. ssh.software
is a sticky
buffer, and can be used as fast pattern.
Format:
ssh.software;
Example:
alert ssh any any -> any any (msg:"match SSH software string"; ssh.software; content:"openssh"; nocase; sid:1000020;)
The example above matches on SSH connections where the software string contains "openssh".
8.17.4. ssh.hassh
Match on hassh (md5 of of hassh algorithms of client).
Example:
alert ssh any any -> any any (msg:"match hassh"; \
ssh.hassh; content:"ec7378c1a92f5a8dde7e8b7a1ddf33d1";\
sid:1000010;)
ssh.hassh
is a 'sticky buffer'.
ssh.hassh
can be used as fast_pattern
.
8.17.5. ssh.hassh.string
Match on Hassh string (hassh algorithms of client).
Example:
alert ssh any any -> any any (msg:"match hassh-string"; \
ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; \
sid:1000030;)
ssh.hassh.string
is a 'sticky buffer'.
ssh.hassh.string
can be used as fast_pattern
.
8.17.6. ssh.hassh.server
Match on hassh (md5 of hassh algorithms of server).
Example:
alert ssh any any -> any any (msg:"match SSH hash-server"; \
ssh.hassh.server; content:"b12d2871a1189eff20364cf5333619ee"; \
sid:1000020;)
ssh.hassh.server
is a 'sticky buffer'.
ssh.hassh.server
can be used as fast_pattern
.
8.17.7. ssh.hassh.server.string
Match on hassh string (hassh algorithms of server).
- Example::
- alert ssh any any -> any any (msg:"match SSH hash-server-string";
ssh.hassh.server.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com"; sid:1000040;)
ssh.hassh.server.string
is a 'sticky buffer'.
ssh.hassh.server.string
can be used as fast_pattern
.