Rules based on SSH banner-related keywords only match on acked data
Needs backport, Needs backport to 5.0
I noticed that rules based on SSH banner-related keywords only matched if the data is acknowledged by both client and server.
SSH fields used in the rule are however always present in the eve.json files.
- some pcaps with minimal examples with a TCP three-way handshake, incomplete or complete SSH banner exchange and a final RST from the client.
- a file with some rules.
- Case 1 - SB: only server sends its banner - rules match - rules do not match.
- Case 2 - SBCA: server sends its banner and client acks it - rules match - rules do not match.
- Case 3 - SBCB: server sends its banner and client sends its banner - rules match - rules do not match.
- Case 4 - SBCBSA: server sends its banner, client sends its banner, and server server the client's banner - rules match - rules match.
Updated by Philippe Antoine about 2 years ago
- Status changed from Assigned to In Review
- Assignee changed from Philippe Antoine to Shivani Bhardwaj
Need to update S-V test as
diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml index 5c4b908..c138be0 100644 --- a/tests/ssh-banner-only/test.yaml +++ b/tests/ssh-banner-only/test.yaml @@ -20,4 +20,4 @@ checks: count: 1 match: event_type: alert - alert.signature_id: 1 + alert.signature_id: 2