From: Philippe Antoine Date: Tue, 22 Apr 2025 18:51:18 +0000 (+0200) Subject: doc/ssh: document hooks X-Git-Tag: suricata-8.0.0-rc1~411 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=daabab738174b7055f5d59ea4b7d158daa4f450c;p=thirdparty%2Fsuricata.git doc/ssh: document hooks Ticket: 7607 --- diff --git a/doc/userguide/firewall/firewall-design.rst b/doc/userguide/firewall/firewall-design.rst index b1cf2eb2ca..7b492242f9 100644 --- a/doc/userguide/firewall/firewall-design.rst +++ b/doc/userguide/firewall/firewall-design.rst @@ -140,6 +140,11 @@ Response (``to_client``) side: * ``server_handshake_done`` * ``server_finished`` +ssh +^^^ + +Available states are listed in :ref:`ssh-hooks`. + Firewall pipeline ~~~~~~~~~~~~~~~~~ diff --git a/doc/userguide/lua/libs/ssh.rst b/doc/userguide/lua/libs/ssh.rst index 0416186cbc..651bd67296 100644 --- a/doc/userguide/lua/libs/ssh.rst +++ b/doc/userguide/lua/libs/ssh.rst @@ -6,6 +6,14 @@ SSH transaction details are exposes to Lua scripts with the local ssh = require("suricata.ssh") +For use in rule matching, the rule must **hook** into a SSH +transaction state. Available states are listed in :ref:`ssh-hooks`. +For example: + +.. container:: example-rule + + alert ssh::example-rule-emphasis:`response_banner_done` any any -> any any (... + Setup ^^^^^ diff --git a/doc/userguide/rules/ssh-keywords.rst b/doc/userguide/rules/ssh-keywords.rst index 8e967e3d53..70e11058cc 100644 --- a/doc/userguide/rules/ssh-keywords.rst +++ b/doc/userguide/rules/ssh-keywords.rst @@ -5,6 +5,26 @@ SSH Keywords Suricata has several rule keywords to match on different elements of SSH connections. +.. _ssh-hooks: + +Hooks +----- + +The available hooks for SSH are: + +Request (``to_server``) side: + +* ``request_in_progress`` +* ``request_banner_wait_eol`` +* ``request_banner_done`` +* ``request_finished`` + +Response (``to_client``) side: + +* ``response_in_progress`` +* ``response_banner_wait_eol`` +* ``response_banner_done`` +* ``response_finished`` Frames ------