From: Mats Klepsland Date: Tue, 16 Oct 2018 19:48:32 +0000 (+0200) Subject: doc: add documentation for SSH keywords X-Git-Tag: suricata-4.1.0~84 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e92fda37c92b943decc132b32754072b5beba8e1;p=thirdparty%2Fsuricata.git doc: add documentation for SSH keywords --- diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst index 2fa4e639b8..ed1cdaceb3 100644 --- a/doc/userguide/rules/index.rst +++ b/doc/userguide/rules/index.rst @@ -13,6 +13,7 @@ Suricata Rules file-keywords dns-keywords tls-keywords + ssh-keywords ja3-keywords modbus-keyword dnp3-keywords diff --git a/doc/userguide/rules/ssh-keywords.rst b/doc/userguide/rules/ssh-keywords.rst new file mode 100644 index 0000000000..ac0d74ead1 --- /dev/null +++ b/doc/userguide/rules/ssh-keywords.rst @@ -0,0 +1,60 @@ +SSH Keywords +============ + +Suricata comes with several rule keywords to match on SSH connections. + +ssh_proto +--------- + +Match on the version of the SSH protocol used. + +Example:: + + alert ssh any any -> any any (msg:"match SSH protocol version"; \ + ssh_proto; content:"2.0"; sid:1000010;) + +The example above matches on SSH connections with SSH version 2. + +``ssh_proto`` is a 'Sticky buffer'. + +``ssh_proto`` can be used as ``fast_pattern``. + +ssh_version +----------- + +Match on the software string from the SSH banner. + +Example:: + + alert ssh any any -> any any (msg:"match SSH software string"; \ + ssh_software: content:"openssh"; nocase; sid:1000020;) + +The example above matches on SSH connections where the software string contains "openssh". + +``ssh_software`` is a 'Sticky buffer'. + +``ssh_software`` can be used as ``fast_pattern``. + +ssh.protoversion +---------------- + +This is a legacy keyword. Use ``ssh_proto`` instead! + +Match on the version of the SSH protocol used. + +Example:: + + alert ssh any any -> any any (msg:"match SSH protocol version"; \ + ssh.protoversion:"2.0"; sid:1000030;) + +ssh.softwareversion +------------------- + +This is a legacy keyword. Use ``ssh_software`` instead! + +Match on the software string from the SSH banner. + +Example:: + + alert ssh any any -> any any (msg:"match SSH software string"; \ + ssh.softwareversion:"OpenSSH"; sid:10000040;)