From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 5 Mar 2020 14:10:46 +0000 (+0100)
Subject: rules: add SSH decoder events rules
X-Git-Tag: suricata-6.0.0-beta1~413
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a98035bac707dd137a20df76bb3892a71e8c5f6;p=thirdparty%2Fsuricata.git

rules: add SSH decoder events rules
---

diff --git a/rules/ssh-events.rules b/rules/ssh-events.rules
new file mode 100644
index 0000000000..99e199c3ad
--- /dev/null
+++ b/rules/ssh-events.rules
@@ -0,0 +1,10 @@
+# SSH app layer event rules
+#
+# SID's fall in the 2228000+ range. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/AppLayer
+#
+# These sigs fire at most once per connection.
+#
+
+alert ssh any any -> any any (msg:"SURICATA SSH invalid banner"; flow:established; app-layer-event:ssh.invalid_banner; classtype:protocol-command-decode; sid:2228000; rev:1;)
+alert ssh any any -> any any (msg:"SURICATA SSH too long banner"; flow:established; app-layer-event:ssh.long_banner; classtype:protocol-command-decode; sid:2228001; rev:1;)
+alert ssh any any -> any any (msg:"SURICATA SSH invalid record"; flow:established; app-layer-event:ssh.invalid_record; classtype:protocol-command-decode; sid:2228002; rev:1;)