8.16. SSH Keywords
Suricata has several rule keywords to match on different elements of SSH connections.
8.16.1. ssh.proto
Match on the version of the SSH protocol used. ssh.proto
is a sticky buffer,
and can be used as a fast pattern. ssh.proto
replaces the previous buffer
name: ssh_proto
. You may continue to use the previous name, but it's
recommended that existing rules be converted to use the new name.
Format:
ssh.proto;
Example:
alert ssh any any -> any any (msg:"match SSH protocol version"; ssh.proto; content:"2.0"; sid:1000010;)
The example above matches on SSH connections with SSH version 2.0.
8.16.2. ssh.software
Match on the software string from the SSH banner. ssh.software
is a sticky
buffer, and can be used as fast pattern.
ssh.software
replaces the previous keyword names: ssh_software
&
ssh.softwareversion
. You may continue to use the previous name, but it's
recommended that rules be converted to use the new name.
Format:
ssh.software;
Example:
alert ssh any any -> any any (msg:"match SSH software string"; ssh.software; content:"openssh"; nocase; sid:1000020;)
The example above matches on SSH connections where the software string contains "openssh".
8.16.3. ssh.protoversion
Matches on the version of the SSH protocol used. A value of 2_compat
includes SSH version 1.99.
Format:
ssh.protoversion:[0-9](\.[0-9])?|2_compat;
Example:
alert ssh any any -> any any (msg:"SSH v2 compatible"; ssh.protoversion:2_compat; sid:1;)
The example above matches on SSH connections with SSH version 2 or 1.99.
alert ssh any any -> any any (msg:"SSH v1.10"; ssh.protoversion:1.10; sid:1;)
The example above matches on SSH connections with SSH version 1.10 only.
8.16.4. ssh.softwareversion
This keyword has been deprecated. Please use ssh.software
instead. Matches
on the software string from the SSH banner.
Example:
alert ssh any any -> any any (msg:"match SSH software string"; ssh.softwareversion:"OpenSSH"; sid:10000040;)
Suricata comes with a Hassh integration (https://github.com/salesforce/hassh). Hassh is used to fingerprint ssh clients and servers.
Hassh must be enabled in the Suricata config file (set 'app-layer.protocols.ssh.hassh' to 'yes').
8.16.5. ssh.hassh
Match on hassh (md5 of of hassh algorithms of client).
Example:
alert ssh any any -> any any (msg:"match hassh"; \
ssh.hassh; content:"ec7378c1a92f5a8dde7e8b7a1ddf33d1";\
sid:1000010;)
ssh.hassh
is a 'sticky buffer'.
ssh.hassh
can be used as fast_pattern
.
8.16.6. ssh.hassh.string
Match on Hassh string (hassh algorithms of client).
Example:
alert ssh any any -> any any (msg:"match hassh-string"; \
ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; \
sid:1000030;)
ssh.hassh.string
is a 'sticky buffer'.
ssh.hassh.string
can be used as fast_pattern
.
8.16.7. ssh.hassh.server
Match on hassh (md5 of hassh algorithms of server).
Example:
alert ssh any any -> any any (msg:"match SSH hash-server"; \
ssh.hassh.server; content:"b12d2871a1189eff20364cf5333619ee"; \
sid:1000020;)
ssh.hassh.server
is a 'sticky buffer'.
ssh.hassh.server
can be used as fast_pattern
.
8.16.8. ssh.hassh.server.string
Match on hassh string (hassh algorithms of server).
- Example::
- alert ssh any any -> any any (msg:"match SSH hash-server-string";
ssh.hassh.server.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com"; sid:1000040;)
ssh.hassh.server.string
is a 'sticky buffer'.
ssh.hassh.server.string
can be used as fast_pattern
.