Can not get SSH alert

I have some problems with a rule. I use this rule as the only one in the rule set, but it doesn’t work. I can’t get any alert.

The rule is:
alert ssh any any → any 22 (msg:“This is a test”; content:“|15 00 00 00 00 00 00 00 00 00 00|”; classtype:protocol-command-decode; sid:1300013; rev:1; metadata:created_at 2023_05_23, updated_at 2023_05_24;)

But I can get an alert using the following rule:
alert ssh any 22 → any any (msg:“This is another test”; content:“|15 00 00 00 00 00 00 00 00 00 00|”; classtype:protocol-command-decode; sid:1300014; rev:1; metadata:created_at 2023_05_23, updated_at 2023_05_24;)

I use a pcap file to do this.

I guess: in the prefilter engine, the packets are detected as a stream. It will not be detected until the hole stream reaches stream.reassembly.toserver-chunk-size or stream.reassembly.toclient-chunk-size. But when it reaches one of these two limits, it might be a request or a response. In my case, it is a response, so the packet’s dst port is not 22, but 60063(src port), so it fails in DetectRunInspectRuleHeader function.

Am I right? Any solution?

Can you provide the pcap so we could chack if the content would actually match?

So you’re matching on a single packet that is a response, that’s why your second rule works. Is there a reason why you don’t want the second rule to be used?

You could just remove the port, since ssh is already defined as app-layer, if you want a more generic signature.

Sorry, I made a mistake. It is packet 14, it is a request.
bf-ssh-60063.pcap (4.6 KB)

Now I see your point, so in theory you would expect both rules to trigger, the 2nd for packet 13 and the 1st for packet 14.

I just want to know why the 1st rule can’t work.

Interesting, this looks like a bug of setting APP_LAYER_PARSER_NO_INSPECTION on MessageCode::NewKeys should not prevent detection on this packet but only on the ones after

See Bug #6578: ssh: no alert on packet with Message Code: New Keys (21) - Suricata - Open Information Security Foundation