Unable to find list of taggable events

bbarnett · September 12, 2025, 8:10am

Looking for some info which I cannot seem to find. Any pointers to where I can find it, would be quite helpful.

I see the following rules in ssh-events.rules:

alert ssh any any -> any any (msg:"SURICATA SSH invalid banner"; flow:established; app-layer-event:ssh.invalid_banner; classtype:protocol-command-decode; sid:2228000; rev:1;)
alert ssh any any -> any any (msg:"SURICATA SSH too long banner"; flow:established; app-layer-event:ssh.long_banner; classtype:protocol-command-decode; sid:2228001; rev:1;)
alert ssh any any -> any any (msg:"SURICATA SSH invalid record"; flow:established; app-layer-event:ssh.invalid_record; classtype:protocol-command-decode; sid:2228002; rev:1;)

I’ve searched the documentation, and cannot find what options are available for protocols, or the SSH protocol anywhere. I’ve searched the source on github for invalid_banner, searched google, and using ‘stings’ on the binary does provide a hit:

# strings /usr/bin/suricata | grep invalid_banner
incomplete_datainvalid_datainvalid_banner
invalid_bannerlong_bannerinvalid_recordlong_kex_recordsrc/quic/frames.rs

I am unsure why searching on github produces zero results.

However, all I want is a list of every single possible match I can use. I see long_banner, invalid_record, invalid_banner, what other matches may I use? It’s unclear to me if the above three examples are all the possibilities.

Thanks

vjulien · September 12, 2025, 8:39am

The various *-events.rules are intended to give a complete set of rules for all available events.

The internal representation can have a slightly different notation:

git grep -i -E "invalid_*banner"
rules/ssh-events.rules:alert ssh any any -> any any (msg:"SURICATA SSH invalid banner"; flow:established; app-layer-event:ssh.invalid_banner; classtype:protocol-command-decode; sid:2228000; rev:1;)
rust/src/ssh/ssh.rs:    InvalidBanner,
rust/src/ssh/ssh.rs:                    self.set_event(SSHEvent::InvalidBanner);
rust/src/ssh/ssh.rs:                    self.set_event(SSHEvent::InvalidBanner);
rust/src/ssh/ssh.rs:                        self.set_event(SSHEvent::InvalidBanner);
rust/src/ssh/ssh.rs:                self.set_event(SSHEvent::InvalidBanner);

Then grepping for SSHEvent is easy:

git grep SSHEvent
rust/src/ssh/ssh.rs:pub enum SSHEvent {
rust/src/ssh/ssh.rs:    fn set_event(&mut self, event: SSHEvent) {
rust/src/ssh/ssh.rs:                                        self.set_event(SSHEvent::LongKexRecord);
rust/src/ssh/ssh.rs:                            self.set_event(SSHEvent::InvalidRecord);
rust/src/ssh/ssh.rs:                    self.set_event(SSHEvent::InvalidRecord);
rust/src/ssh/ssh.rs:                    self.set_event(SSHEvent::InvalidBanner);
rust/src/ssh/ssh.rs:                    self.set_event(SSHEvent::InvalidBanner);
rust/src/ssh/ssh.rs:                    self.set_event(SSHEvent::LongBanner);
rust/src/ssh/ssh.rs:                        self.set_event(SSHEvent::LongBanner);
rust/src/ssh/ssh.rs:                        self.set_event(SSHEvent::InvalidBanner);
rust/src/ssh/ssh.rs:                self.set_event(SSHEvent::InvalidBanner);
rust/src/ssh/ssh.rs:        get_eventinfo: Some(SSHEvent::get_event_info),
rust/src/ssh/ssh.rs:        get_eventinfo_byid: Some(SSHEvent::get_event_info_by_id),

Or check ssh.rs

#[derive(AppLayerEvent)]
pub enum SSHEvent {
    InvalidBanner,
    LongBanner,
    InvalidRecord,
    LongKexRecord,
}

bbarnett · September 17, 2025, 3:30pm

OK. Thanks, appreciate the FYI