Can I use dsize in rules when ssh is enabled?

Rules
1

Can I use dsize when ssh is enabled?

Alert is not generated when ssh is enabled.
If ssh is disabled, may alerts are generated.
My guess is that ssh decoding affects the dsize.

[information]
rule:

  • alert tcp-pkt any any → any 22 (msg:“ssh dsize test”; flow:established,to_server; dsize:80; prefilter; sid:1001;)

ssh enabled(suricata-applayers.yaml)
ssh:
enabled: yes

ssh disabled(suricata-applayers.yaml)
ssh:
enabled: no

There are many tcp.len == 80 packets
Flow Keywords
Don’t Cross The Streams

2

Interesting. Do you have a pcap you could share or any other way to reproduce?