Rules for SSH under root

Hi all, don’t judge me harshly, I’m new to Suricata and rule creation, there are problems with ssh login detection.

I want to detect every login attempt as root on my test server which is deployed in VMware, I have tried to specify the ssh protocol explicitly, but I don’t understand which keyword to use to check for logins.

Here is my rule with explicit protocol signing:
alert ssh any any <> $HOME_NET 22 (msg: “SSH root login attempt detected”; ssh.hassh.string; content: “root,root@192.168.59.132,none”; class:unsuccessful-user; sid:1000012; rev:1;)

I did not find a lot of information, but still, suricata is not able to inspect encrypted ssh traffic.

I also tried it with explicit tcp protocol after reading that suricata can’t handle encrypted traffic, and here is the rule based on tcp protocol:
alert tcp any any <> $HOME_NET 22 (msg: “SSH root login attempt detected”; flow:to_server; content: “SSH-”; offset:0; depth:4; content: “root”; within:10; fast_pattern; classtype:unsuccessful-user; sid:1000012; rev:1;)

But when I try to ssh in, suricata does not detect this action, can you please tell me what my problem is and what is required for such a rule?

What version are you using?

Post the suricata.yaml, stats.log, suricata.log and the actual run command of Suricata.

I would start with a basic test first, so a signature that matches on SSH in general.

And yes, the encrypted part cannot be seen and thus detected.

Greetings, I apologize for the long reply, after a while I found a solution to my problem in this rule format:
alert tcp any any → any 22 ( msg: “Potential SSH Brute”; classtype:attempted-recon; flow:to_server; flags:S,12; threshold:type both, track by_src, count 3, seconds 50; sid:1000009; rev:1;).

Yes, it is impossible to get encrypted traffic, but I was able to get connection attempts thanks to this rule.