From daabab738174b7055f5d59ea4b7d158daa4f450c Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Tue, 22 Apr 2025 20:51:18 +0200
Subject: [PATCH] doc/ssh: document hooks

Ticket: 7607
---
 doc/userguide/firewall/firewall-design.rst |  5 +++++
 doc/userguide/lua/libs/ssh.rst             |  8 ++++++++
 doc/userguide/rules/ssh-keywords.rst       | 20 ++++++++++++++++++++
 3 files changed, 33 insertions(+)

diff --git a/doc/userguide/firewall/firewall-design.rst b/doc/userguide/firewall/firewall-design.rst
index b1cf2eb2ca..7b492242f9 100644
--- a/doc/userguide/firewall/firewall-design.rst
+++ b/doc/userguide/firewall/firewall-design.rst
@@ -140,6 +140,11 @@ Response (``to_client``) side:
 * ``server_handshake_done``
 * ``server_finished``
 
+ssh
+^^^
+
+Available states are listed in :ref:`ssh-hooks`.
+
 Firewall pipeline
 ~~~~~~~~~~~~~~~~~
 
diff --git a/doc/userguide/lua/libs/ssh.rst b/doc/userguide/lua/libs/ssh.rst
index 0416186cbc..651bd67296 100644
--- a/doc/userguide/lua/libs/ssh.rst
+++ b/doc/userguide/lua/libs/ssh.rst
@@ -6,6 +6,14 @@ SSH transaction details are exposes to Lua scripts with the
 
   local ssh = require("suricata.ssh")
 
+For use in rule matching, the rule must **hook** into a SSH
+transaction state. Available states are listed in :ref:`ssh-hooks`.
+For example:
+
+.. container:: example-rule
+
+  alert ssh::example-rule-emphasis:`response_banner_done` any any -> any any (...
+
 Setup
 ^^^^^
 
diff --git a/doc/userguide/rules/ssh-keywords.rst b/doc/userguide/rules/ssh-keywords.rst
index 8e967e3d53..70e11058cc 100644
--- a/doc/userguide/rules/ssh-keywords.rst
+++ b/doc/userguide/rules/ssh-keywords.rst
@@ -5,6 +5,26 @@ SSH Keywords
 Suricata has several rule keywords to match on different elements of SSH
 connections.
 
+.. _ssh-hooks:
+
+Hooks
+-----
+
+The available hooks for SSH are:
+
+Request (``to_server``) side:
+
+* ``request_in_progress``
+* ``request_banner_wait_eol``
+* ``request_banner_done``
+* ``request_finished``
+
+Response (``to_client``) side:
+
+* ``response_in_progress``
+* ``response_banner_wait_eol``
+* ``response_banner_done``
+* ``response_finished``
 
 Frames
 ------
-- 
2.47.2