summaryrefslogtreecommitdiffstats
path: root/rules/ssh-events.rules
diff options
context:
space:
mode:
Diffstat (limited to 'rules/ssh-events.rules')
-rw-r--r--rules/ssh-events.rules10
1 files changed, 10 insertions, 0 deletions
diff --git a/rules/ssh-events.rules b/rules/ssh-events.rules
new file mode 100644
index 0000000..99e199c
--- /dev/null
+++ b/rules/ssh-events.rules
@@ -0,0 +1,10 @@
+# SSH app layer event rules
+#
+# SID's fall in the 2228000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+
+alert ssh any any -> any any (msg:"SURICATA SSH invalid banner"; flow:established; app-layer-event:ssh.invalid_banner; classtype:protocol-command-decode; sid:2228000; rev:1;)
+alert ssh any any -> any any (msg:"SURICATA SSH too long banner"; flow:established; app-layer-event:ssh.long_banner; classtype:protocol-command-decode; sid:2228001; rev:1;)
+alert ssh any any -> any any (msg:"SURICATA SSH invalid record"; flow:established; app-layer-event:ssh.invalid_record; classtype:protocol-command-decode; sid:2228002; rev:1;)
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-16 07:00:25 +0000