blob: 83d2f2fe8d34b67593b7c6e69c3039ca7a18aa5d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
.. role:: example-rule-emphasis
SSH Keywords
============
Suricata has several rule keywords to match on different elements of SSH
connections.
ssh.proto
---------
Match on the version of the SSH protocol used. ``ssh.proto`` is a sticky buffer,
and can be used as a fast pattern. ``ssh.proto`` replaces the previous buffer
name: ``ssh_proto``. You may continue to use the previous name, but it's
recommended that existing rules be converted to use the new name.
Format::
ssh.proto;
Example:
.. container:: example-rule
alert ssh any any -> any any (msg:"match SSH protocol version"; :example-rule-emphasis:`ssh.proto;` content:"2.0"; sid:1000010;)
The example above matches on SSH connections with SSH version 2.0.
ssh.software
------------
Match on the software string from the SSH banner. ``ssh.software`` is a sticky
buffer, and can be used as fast pattern.
``ssh.software`` replaces the previous keyword names: ``ssh_software`` &
``ssh.softwareversion``. You may continue to use the previous name, but it's
recommended that rules be converted to use the new name.
Format::
ssh.software;
Example:
.. container:: example-rule
alert ssh any any -> any any (msg:"match SSH software string"; :example-rule-emphasis:`ssh.software;` content:"openssh"; nocase; sid:1000020;)
The example above matches on SSH connections where the software string contains
"openssh".
ssh.protoversion
----------------
Matches on the version of the SSH protocol used. A value of ``2_compat``
includes SSH version 1.99.
Format::
ssh.protoversion:[0-9](\.[0-9])?|2_compat;
Example:
.. container:: example-rule
alert ssh any any -> any any (msg:"SSH v2 compatible"; :example-rule-emphasis:`ssh.protoversion:2_compat;` sid:1;)
The example above matches on SSH connections with SSH version 2 or 1.99.
.. container:: example-rule
alert ssh any any -> any any (msg:"SSH v1.10"; :example-rule-emphasis:`ssh.protoversion:1.10;` sid:1;)
The example above matches on SSH connections with SSH version 1.10 only.
ssh.softwareversion
-------------------
This keyword has been deprecated. Please use ``ssh.software`` instead. Matches
on the software string from the SSH banner.
Example:
.. container:: example-rule
alert ssh any any -> any any (msg:"match SSH software string"; :example-rule-emphasis:`ssh.softwareversion:"OpenSSH";` sid:10000040;)
Suricata comes with a Hassh integration (https://github.com/salesforce/hassh). Hassh is used to fingerprint ssh clients and servers.
Hassh must be enabled in the Suricata config file (set 'app-layer.protocols.ssh.hassh' to 'yes').
ssh.hassh
---------
Match on hassh (md5 of of hassh algorithms of client).
Example::
alert ssh any any -> any any (msg:"match hassh"; \
ssh.hassh; content:"ec7378c1a92f5a8dde7e8b7a1ddf33d1";\
sid:1000010;)
``ssh.hassh`` is a 'sticky buffer'.
``ssh.hassh`` can be used as ``fast_pattern``.
ssh.hassh.string
----------------
Match on Hassh string (hassh algorithms of client).
Example::
alert ssh any any -> any any (msg:"match hassh-string"; \
ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; \
sid:1000030;)
``ssh.hassh.string`` is a 'sticky buffer'.
``ssh.hassh.string`` can be used as ``fast_pattern``.
ssh.hassh.server
----------------
Match on hassh (md5 of hassh algorithms of server).
Example::
alert ssh any any -> any any (msg:"match SSH hash-server"; \
ssh.hassh.server; content:"b12d2871a1189eff20364cf5333619ee"; \
sid:1000020;)
``ssh.hassh.server`` is a 'sticky buffer'.
``ssh.hassh.server`` can be used as ``fast_pattern``.
ssh.hassh.server.string
-----------------------
Match on hassh string (hassh algorithms of server).
Example::
alert ssh any any -> any any (msg:"match SSH hash-server-string"; \
ssh.hassh.server.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com"; \
sid:1000040;)
``ssh.hassh.server.string`` is a 'sticky buffer'.
``ssh.hassh.server.string`` can be used as ``fast_pattern``.
|
