--- /dev/null
+%YAML 1.1
+---
+
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: yes
+ - files
+ - http
+ - flow
--- /dev/null
+pass tcp any any -> any 22 (alert; sid:2; gid:10000003; msg:"PASS SSH";)
+drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ alert.signature: "PASS SSH"
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 2
+ match:
+ event_type: flow
+ - filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
--- /dev/null
+%YAML 1.1
+---
+
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: yes
+ - files
+ - http
+ - flow
--- /dev/null
+pass ssh any any -> any any (msg:"pass rule with alert"; ssh.proto; content:"2"; alert; flow:established, to_server; sid:10201;)
+pass tcp any any -> any any (msg:"allow session establishment"; alert; flow:not_established; sid:10202;)
+drop ip any any -> any any (msg:"drop all packets"; sid:10211;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 10211
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 10202
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 10201
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
--- /dev/null
+%YAML 1.1
+---
+
+action-order:
+ - drop
+ - reject
+ - alert
+ - pass
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: yes
+ - files
+ - http
+ - flow
--- /dev/null
+pass tcp any any -> any 22 (alert; sid:2; gid:10000003; msg:"PASS SSH";)
+drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - --simulate-ips
+ - -k none
+
+pcap: ../issue-5466-alert-then-pass-01/icmp_and_ssh.pcap
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ alert.signature: "PASS SSH"
+ - filter:
+ count: 322
+ match:
+ event_type: drop
+ - filter:
+ count: 2
+ match:
+ event_type: flow
+ - filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+%YAML 1.1
+---
+
+action-order:
+ - drop
+ - reject
+ - alert
+ - pass
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: yes
+ - files
+ - http
+ - flow
--- /dev/null
+alert tcp any any -> any 22 (sid:2; gid:10000003;)
+drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+ - --simulate-ips
+ - -k none
+
+pcap: ../issue-5466-alert-then-pass-01/icmp_and_ssh.pcap
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ count: 322
+ match:
+ event_type: drop
+ - filter:
+ count: 2
+ match:
+ event_type: flow
+ - filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop