doc/ssh: document hooks

Ticket: 7607

diff --git a/doc/userguide/firewall/firewall-design.rst b/doc/userguide/firewall/firewall-design.rst
index b1cf2eb2caf36c878d4f44ab7d5c426e964ba649..7b492242f961be7d2f8ddcc5ae34a633e3cf2317 100644 (file)
--- a/doc/userguide/firewall/firewall-design.rst
+++ b/doc/userguide/firewall/firewall-design.rst
@@ -140,6 +140,11 @@ Response (``to_client``) side:
 * ``server_handshake_done``
 * ``server_finished``
 
+ssh
+^^^
+
+Available states are listed in :ref:`ssh-hooks`.
+
 Firewall pipeline
 ~~~~~~~~~~~~~~~~~
 

diff --git a/doc/userguide/lua/libs/ssh.rst b/doc/userguide/lua/libs/ssh.rst
index 0416186cbce4bf7171d1266dcfeffa96c3913a73..651bd6729661aefe4a5b3f38eab67a8ba4e295b4 100644 (file)
--- a/doc/userguide/lua/libs/ssh.rst
+++ b/doc/userguide/lua/libs/ssh.rst
@@ -6,6 +6,14 @@ SSH transaction details are exposes to Lua scripts with the
 
   local ssh = require("suricata.ssh")
 
+For use in rule matching, the rule must **hook** into a SSH
+transaction state. Available states are listed in :ref:`ssh-hooks`.
+For example:
+
+.. container:: example-rule
+
+  alert ssh::example-rule-emphasis:`response_banner_done` any any -> any any (...
+
 Setup
 ^^^^^
 

diff --git a/doc/userguide/rules/ssh-keywords.rst b/doc/userguide/rules/ssh-keywords.rst
index 8e967e3d536ba56863b0ad51abdb3496b8760210..70e11058cc6c73f98de9a0739f4718e5c91486a8 100644 (file)
--- a/doc/userguide/rules/ssh-keywords.rst
+++ b/doc/userguide/rules/ssh-keywords.rst
@@ -5,6 +5,26 @@ SSH Keywords
 Suricata has several rule keywords to match on different elements of SSH
 connections.
 
+.. _ssh-hooks:
+
+Hooks
+-----
+
+The available hooks for SSH are:
+
+Request (``to_server``) side:
+
+* ``request_in_progress``
+* ``request_banner_wait_eol``
+* ``request_banner_done``
+* ``request_finished``
+
+Response (``to_client``) side:
+
+* ``response_in_progress``
+* ``response_banner_wait_eol``
+* ``response_banner_done``
+* ``response_finished``
 
 Frames
 ------