SSH Keywords

ssh.proto

Matches the protocol version string present in the SSH protocol banner. This keyword is a sticky buffer.

The software version string is defined in RFC4253:

This identification string MUST be:
  SSH-protoversion-softwareversion SP comments CR LF

Example:

alert ssh any any -> any any (classtype:misc-attack; \
msg:"content matching on SSH protocol version"; \
ssh.proto; content:"2.0"; sid:1; rev:1;)

cognitix Threat Defender also supports the deprecated ssh_proto keyword, but we do not recommend using it.

ssh.software

Matches the software version string present in the SSH protocol banner. This keyword is a sticky buffer.

The software version string is defined in RFC4253:

This identification string MUST be:
  SSH-protoversion-softwareversion SP comments CR LF

Example:

alert ssh any any -> any any (classtype:misc-attack; \
msg:"content matching on OpenSSH software string"; \
ssh.software; content:"OpenSSH"; sid:1; rev:1;)

cognitix Threat Defender also supports the deprecated ssh_software and ssh.softwareversion keywords, but we do not recommend using it.