Hi all,
sorry if this is a stupid question but I have a simple pcap file recording a successful ssh connection from one ubuntu machine to another. I created a super simple rule as I am new to suricata rule writing.
The sid is from a out-commented rule in the ET-open rule set and just for testing purpose. I am using suricata as a component of security onion 2.3.160-20220829. (I can’t get the version from the actual command “suricata -V” even when i am in the so-suricata docker container, just as a side note if some one had allready experience with that, I appreciate any help too)
rule: "alert tcp any any → any any (msg:“testinger”; content:“SSH-2.0-”; nocase, sid:2018264;)
pcap: “https://drive.google.com/file/d/1z_wsIgSGSwCUi22I2Ij3IGTIM3UHPJD0/view?usp=drive_link”
The pcap is triggering one alert now (from server → client) and I wanted to ask what I am doing wrong. In the following screenshot one can see that there is SSH connection established between the server and the client after the TCP 3-way handshake. In both messages (client → server and server → client) the content “SSH-2.0-” appears. So I would assume, that two alerts are created.
The actual rules I started with were:
1st try: "alert ssh any any → any 22 (msg: “testinger”; content:“SSH-2.0-”; nocase; sid:2018264;)
2nd try "alert tcp any any → any 22 (msg: “testinger”; content:“SSH-2.0-”; nocase; sid:2018264;)
Both of them do not trigger any alert at all.
I appreciate every help.
Thanks in advance.
Best regards