sorry if this is a stupid question but I have a simple pcap file recording a successful ssh connection from one ubuntu machine to another. I created a super simple rule as I am new to suricata rule writing.
The sid is from a out-commented rule in the ET-open rule set and just for testing purpose. I am using suricata as a component of security onion 2.3.160-20220829. (I can’t get the version from the actual command “suricata -V” even when i am in the so-suricata docker container, just as a side note if some one had allready experience with that, I appreciate any help too)
The pcap is triggering one alert now (from server → client) and I wanted to ask what I am doing wrong. In the following screenshot one can see that there is SSH connection established between the server and the client after the TCP 3-way handshake. In both messages (client → server and server → client) the content “SSH-2.0-” appears. So I would assume, that two alerts are created.
The actual rules I started with were:
1st try: "alert ssh any any → any 22 (msg: “testinger”; content:“SSH-2.0-”; nocase; sid:2018264;)
2nd try "alert tcp any any → any 22 (msg: “testinger”; content:“SSH-2.0-”; nocase; sid:2018264;)
It’s difficult to check w/o knowing the version of Suricata. When you build your Docker image, did you specify something there?
Also, would like to know if there are errors or helpful output?
sorry for the delay. So, the used suricata version is 6.0.0 RELEASE. The thing is that I did a seperate installation of suricata with the most recent version (7.0.1 RELEASE) and I still have the same behaviour that I just get an alert from the server IP (src) to the client IP (dst). I already played around with the “flow” keyword and set it to “from client” but no resulting alert. Any suggestions?
we just found that if we use the hex code for “SSH” we get two alerts from the pcap file as initially assumed. If you specify port 22 as the destination port then you only get one alert if ssh client connects to the server. But this makes me even more wondering why the content “SSH-2.0-” is only creating the alert from the server side as the hex code and the converted string in the pcap for both direction is the same. Any Ideas?
Hi @bsnus!
hex code is generally the preferred way when dealing with content as it makes the content much clearer than to let the parser determine what might be an invalid character, etc in a string.
Are you able to see any parsing errors in the log that might explain the issue?
First simplify the rule by alerting only once traffic hit port 22 the second part can be
→ $HOME_NET 22
Also check suricata rules with ssh and try to figure out how they work