SSH Keywords
ssh.software
Matches the software version string present in the SSH protocol banner. This keyword is a sticky buffer.
The software version string is defined in RFC4253:
This identification string MUST be:
SSH-protoversion-softwareversion SP comments CR LF
Example:
alert ssh any any -> any any (classtype:misc-attack; \
msg:"content matching on OpenSSH software string"; \
ssh.software; content:"OpenSSH"; sid:1; rev:1;)