6.17. SSH Keywords

Suricata has several rule keywords to match on different elements of SSH connections.

6.17.1. ssh.proto

Match on the version of the SSH protocol used. ssh.proto is a sticky buffer, and can be used as a fast pattern. ssh.proto replaces the previous buffer name: ssh_proto. You may continue to use the previous name, but it’s recommended that existing rules be converted to use the new name.

Format:

ssh.proto;

Example:

alert ssh any any -> any any (msg:”match SSH protocol version”; ssh.proto; content:”2.0”; sid:1000010;)

The example above matches on SSH connections with SSH version 2.0.

6.17.2. ssh.software

Match on the software string from the SSH banner. ssh.software is a sticky buffer, and can be used as fast pattern.

ssh.software replaces the previous keyword names: ssh_software & ssh.softwareversion. You may continue to use the previous name, but it’s recommended that rules be converted to use the new name.

Format:

ssh.software;

Example:

alert ssh any any -> any any (msg:”match SSH software string”; ssh.software; content:”openssh”; nocase; sid:1000020;)

The example above matches on SSH connections where the software string contains “openssh”.

6.17.3. ssh.protoversion

Matches on the version of the SSH protocol used. A value of 2_compat includes SSH version 1.99.

Format:

ssh.protoversion:[0-9](\.[0-9])?|2_compat;

Example:

alert ssh any any -> any any (msg:”SSH v2 compatible”; ssh.protoversion:2_compat; sid:1;)

The example above matches on SSH connections with SSH version 2 or 1.99.

alert ssh any any -> any any (msg:”SSH v1.10”; ssh.protoversion:1.10; sid:1;)

The example above matches on SSH connections with SSH version 1.10 only.

6.17.4. ssh.softwareversion

This keyword has been deprecated. Please use ssh.software instead. Matches on the software string from the SSH banner.

Example:

alert ssh any any -> any any (msg:”match SSH software string”; ssh.softwareversion:”OpenSSH”; sid:10000040;)

Suricata comes with a Hassh integration (https://github.com/salesforce/hassh). Hassh is used to fingerprint ssh clients and servers.

Hassh must be enabled in the Suricata config file (set ‘app-layer.protocols.ssh.hassh’ to ‘yes’).

6.17.5. ssh.hassh

Match on hassh (md5 of of hassh algorithms of client).

Example:

alert ssh any any -> any any (msg:"match hassh"; \
    ssh.hassh; content:"ec7378c1a92f5a8dde7e8b7a1ddf33d1";\
    sid:1000010;)

ssh.hassh is a ‘sticky buffer’.

ssh.hassh can be used as fast_pattern.

6.17.6. ssh.hassh.string

Match on Hassh string (hassh algorithms of client).

Example:

alert ssh any any -> any any (msg:"match hassh-string"; \
    ssh.hassh.string; content:"none,zlib@openssh.com,zlib"; \
    sid:1000030;

ssh.hassh.string is a ‘sticky buffer’.

ssh.hassh.string can be used as fast_pattern.

6.17.7. ssh.hassh.server

Match on hassh (md5 of hassh algorithms of server).

Example:

alert ssh any any -> any any (msg:"match SSH hash-server"; \
    ssh.hassh.server; content:"b12d2871a1189eff20364cf5333619ee"; \
    sid:1000020;)

ssh.hassh.server is a ‘sticky buffer’.

ssh.hassh.server can be used as fast_pattern.

6.17.8. ssh.hassh.server.string

Match on hassh string (hassh algorithms of server).

Example::
alert ssh any any -> any any (msg:”match SSH hash-server-string”;
ssh.hassh.server.string; content:”umac-64-etm@openssh.com,umac-128-etm@openssh.com”; sid:1000040;)

ssh.hassh.server.string is a ‘sticky buffer’.

ssh.hassh.server.string can be used as fast_pattern.