SSH alert direction

bsnus · September 12, 2023, 10:38am

Hi all,

sorry if this is a stupid question but I have a simple pcap file recording a successful ssh connection from one ubuntu machine to another. I created a super simple rule as I am new to suricata rule writing.
The sid is from a out-commented rule in the ET-open rule set and just for testing purpose. I am using suricata as a component of security onion 2.3.160-20220829. (I can’t get the version from the actual command “suricata -V” even when i am in the so-suricata docker container, just as a side note if some one had allready experience with that, I appreciate any help too)

rule: "alert tcp any any → any any (msg:“testinger”; content:“SSH-2.0-”; nocase, sid:2018264;)
pcap: “https://drive.google.com/file/d/1z_wsIgSGSwCUi22I2Ij3IGTIM3UHPJD0/view?usp=drive_link”

The pcap is triggering one alert now (from server → client) and I wanted to ask what I am doing wrong. In the following screenshot one can see that there is SSH connection established between the server and the client after the TCP 3-way handshake. In both messages (client → server and server → client) the content “SSH-2.0-” appears. So I would assume, that two alerts are created.

The actual rules I started with were:
1st try: "alert ssh any any → any 22 (msg: “testinger”; content:“SSH-2.0-”; nocase; sid:2018264;)
2nd try "alert tcp any any → any 22 (msg: “testinger”; content:“SSH-2.0-”; nocase; sid:2018264;)

Both of them do not trigger any alert at all.

I appreciate every help.

Thanks in advance.

Best regards

sbhardwaj · September 13, 2023, 3:04am

Hi @bsnus !

It’s difficult to check w/o knowing the version of Suricata. When you build your Docker image, did you specify something there?
Also, would like to know if there are errors or helpful output?

bsnus · September 18, 2023, 5:38am

Hi,

sorry for the delay. So, the used suricata version is 6.0.0 RELEASE. The thing is that I did a seperate installation of suricata with the most recent version (7.0.1 RELEASE) and I still have the same behaviour that I just get an alert from the server IP (src) to the client IP (dst). I already played around with the “flow” keyword and set it to “from client” but no resulting alert. Any suggestions?

Thanks in advance.

Best regards

Andreas_Herz · September 19, 2023, 8:33am

FYI: I did request access to the PCAP so we can test it with a local Suricata.

bsnus · September 20, 2023, 3:23am

Thanks a lot. I gave you access to the pcap.

Best regards.

bsnus · September 21, 2023, 3:20am

Hi all,

we just found that if we use the hex code for “SSH” we get two alerts from the pcap file as initially assumed. If you specify port 22 as the destination port then you only get one alert if ssh client connects to the server. But this makes me even more wondering why the content “SSH-2.0-” is only creating the alert from the server side as the hex code and the converted string in the pcap for both direction is the same. Any Ideas?

Thanks in advance.

Best regards