rules: add SSH decoder events rules

author Philippe Antoine <contact@catenacyber.fr>

Thu, 5 Mar 2020 14:10:46 +0000 (15:10 +0100)

committer Victor Julien <victor@inliniac.net>

Fri, 22 May 2020 06:40:01 +0000 (08:40 +0200)
author Philippe Antoine <contact@catenacyber.fr>
Thu, 5 Mar 2020 14:10:46 +0000 (15:10 +0100)
committer Victor Julien <victor@inliniac.net>
Fri, 22 May 2020 06:40:01 +0000 (08:40 +0200)
diff --git a/rules/ssh-events.rules b/rules/ssh-events.rules

new file mode 100644 (file)

index 0000000..99e199c
--- /dev/null
+++ b/rules/ssh-events.rules
@@ -0,0 +1,10 @@
+# SSH app layer event rules
+#
+# SID's fall in the 2228000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+
+alert ssh any any -> any any (msg:"SURICATA SSH invalid banner"; flow:established; app-layer-event:ssh.invalid_banner; classtype:protocol-command-decode; sid:2228000; rev:1;)
+alert ssh any any -> any any (msg:"SURICATA SSH too long banner"; flow:established; app-layer-event:ssh.long_banner; classtype:protocol-command-decode; sid:2228001; rev:1;)
+alert ssh any any -> any any (msg:"SURICATA SSH invalid record"; flow:established; app-layer-event:ssh.invalid_record; classtype:protocol-command-decode; sid:2228002; rev:1;)
author	Philippe Antoine <contact@catenacyber.fr>
	Thu, 5 Mar 2020 14:10:46 +0000 (15:10 +0100)
committer	Victor Julien <victor@inliniac.net>
	Fri, 22 May 2020 06:40:01 +0000 (08:40 +0200)