I have some problems with a rule. I use this rule as the only one in the rule set, but it doesn’t work. I can’t get any alert.
The rule is:
alert ssh any any → any 22 (msg:“This is a test”; content:“|15 00 00 00 00 00 00 00 00 00 00|”; classtype:protocol-command-decode; sid:1300013; rev:1; metadata:created_at 2023_05_23, updated_at 2023_05_24;)
But I can get an alert using the following rule:
alert ssh any 22 → any any (msg:“This is another test”; content:“|15 00 00 00 00 00 00 00 00 00 00|”; classtype:protocol-command-decode; sid:1300014; rev:1; metadata:created_at 2023_05_23, updated_at 2023_05_24;)
I use a pcap file to do this.
I guess: in the prefilter engine, the packets are detected as a stream. It will not be detected until the hole stream reaches stream.reassembly.toserver-chunk-size or stream.reassembly.toclient-chunk-size. But when it reaches one of these two limits, it might be a request or a response. In my case, it is a response, so the packet’s dst port is not 22, but 60063(src port), so it fails in DetectRunInspectRuleHeader function.
Am I right? Any solution?