detect/ssh: remove deprecated keywords

Ticket: 2377
OISF · Jul 16, 2024 · bce8f4b · bce8f4b
1 parent 0a1062f
commit bce8f4b
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 1,125 deletions.
diff --git a/doc/userguide/rules/ssh-keywords.rst b/doc/userguide/rules/ssh-keywords.rst
@@ -31,10 +31,6 @@ ssh.software
 Match on the software string from the SSH banner. ``ssh.software`` is a sticky
 buffer, and can be used as fast pattern.
 
-``ssh.software`` replaces the previous keyword names: ``ssh_software`` &
-``ssh.softwareversion``. You may continue to use the previous name, but it's
-recommended that rules be converted to use the new name.
-
 Format::
 
   ssh.software;
@@ -49,46 +45,6 @@ The example above matches on SSH connections where the software string contains
 "openssh".
 
 
-ssh.protoversion
-----------------
-Matches on the version of the SSH protocol used. A value of ``2_compat``
-includes SSH version 1.99.
-
-Format::
-
-  ssh.protoversion:[0-9](\.[0-9])?|2_compat;
-
-Example:
-
-.. container:: example-rule
-
-  alert ssh any any -> any any (msg:"SSH v2 compatible"; :example-rule-emphasis:`ssh.protoversion:2_compat;` sid:1;)
-
-The example above matches on SSH connections with SSH version 2 or 1.99.
-
-.. container:: example-rule
-
-  alert ssh any any -> any any (msg:"SSH v1.10"; :example-rule-emphasis:`ssh.protoversion:1.10;` sid:1;)
-
-The example above matches on SSH connections with SSH version 1.10 only.
-
-
-ssh.softwareversion
--------------------
-This keyword has been deprecated. Please use ``ssh.software`` instead. Matches
-on the software string from the SSH banner.
-
-Example:
-
-.. container:: example-rule
-
-  alert ssh any any -> any any (msg:"match SSH software string"; :example-rule-emphasis:`ssh.softwareversion:"OpenSSH";` sid:10000040;)
-
-
-Suricata comes with a Hassh integration (https://github.com/salesforce/hassh). Hassh is used to fingerprint ssh clients and servers.
-
-Hassh must be enabled in the Suricata config file (set 'app-layer.protocols.ssh.hassh' to 'yes').
-
 ssh.hassh
 ---------
 

diff --git a/doc/userguide/rules/xbits.rst b/doc/userguide/rules/xbits.rst
@@ -95,10 +95,10 @@ They drop the traffic and create an 'xbit' 'badssh' for the source ip.
 It expires in an hour::
 
     drop ssh any any -> $MYSERVER 22 (msg:"DROP libssh incoming";   \
-      flow:to_server,established; ssh.softwareversion:"libssh";     \
+      flow:to_server,established; ssh.software; content:"libssh";     \
       xbits:set, badssh, track ip_src, expire 3600; sid:4000000005;)
     drop ssh any any -> $MYSERVER 22 (msg:"DROP PUTTY incoming";    \
-      flow:to_server,established; ssh.softwareversion:"PUTTY";      \
+      flow:to_server,established; ssh.software; content:"PUTTY";      \
       xbits:set, badssh, track ip_src, expire 3600; sid:4000000007;)
 
 Then the following rule simply drops any incoming traffic to that server

diff --git a/doc/userguide/upgrade.rst b/doc/userguide/upgrade.rst
@@ -71,6 +71,10 @@ Major changes
 - PF_RING support has been moved to a plugin. See :doc:`PF_RING plugin
   <upgrade/8.0-pfring-plugin>`.
 
+Removals
+~~~~~~~~
+- The ssh keywords ``ssh.protoversion`` and ``ssh.softwareversion`` have been removed.
+
 Upgrading 6.0 to 7.0
 --------------------