ssh: deprecate ssh.softwareversion keyword

author Philippe Antoine <pantoine@oisf.net>

Wed, 10 Jul 2024 20:52:48 +0000 (22:52 +0200)

committer Philippe Antoine <pantoine@oisf.net>

Mon, 15 Jul 2024 13:54:41 +0000 (15:54 +0200)
author Philippe Antoine <pantoine@oisf.net>
Wed, 10 Jul 2024 20:52:48 +0000 (22:52 +0200)
committer Philippe Antoine <pantoine@oisf.net>
Mon, 15 Jul 2024 13:54:41 +0000 (15:54 +0200)
diff --git a/tests/ssh-banner-lt7/test.rules b/tests/ssh-banner-lt7/test.rules

new file mode 100644 (file)

index 0000000..7bd4680
--- /dev/null
+++ b/tests/ssh-banner-lt7/test.rules
@@ -0,0 +1,2 @@
+# ssh.softwareversion is deprecated in favor of ssh.software this is just to check if it still works
+alert ssh any any -> any any (ssh.softwareversion:OpenSSH_7.4; sid:2;)
diff --git a/tests/ssh-banner-lt7/test.yaml b/tests/ssh-banner-lt7/test.yaml

new file mode 100644 (file)

index 0000000..3c9ab43
--- /dev/null
+++ b/tests/ssh-banner-lt7/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  lt-version: 7
+
+pcap: ../ssh-banner-only/input.pcap
+
+args:
+ - -k none
+
+checks:
+  # Check that we have the ssh event in eve.json
+  - filter:
+      count: 1
+      match:
+        event_type: ssh
+        ssh.client.proto_version: "2.0"
+        ssh.server.proto_version: "2.0"
+        ssh.client.software_version: "OpenSSH_for_Windows_7.7"
+        ssh.server.software_version: "OpenSSH_7.4"
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/ssh-banner-only/test.rules b/tests/ssh-banner-only/test.rules

index dfeade1e4b5307e6fff4f08a89328167e20b4927..b9d158f83577f4e47ed244382435921d1c1f5e3b 100644 (file)
--- a/tests/ssh-banner-only/test.rules
+++ b/tests/ssh-banner-only/test.rules
@@ -1,4 +1,2 @@
  alert ssh any any -> any any (ssh.software; content:"OpenSSH"; sid:1;)
-# ssh.softwareversion is deprecated in favor of ssh.software this is just to check if it still works
-alert ssh any any -> any any (ssh.softwareversion:OpenSSH_7.4; sid:2;)
  alert ssh any any -> any any (ssh.proto; content:"2"; sid:3;)
diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml

index 02e82d20ca7783a0376cdb118a7a8ff0b7fe27a7..02cb266306e2ca8f6ede95468cc6e91355a595cc 100644 (file)
--- a/tests/ssh-banner-only/test.yaml
+++ b/tests/ssh-banner-only/test.yaml
@@ -1,6 +1,3 @@
-features:
-    - RUST
-
  args:
   - -k none
  
@@ -19,11 +16,6 @@ checks:
        match:
          event_type: alert
          alert.signature_id: 1
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 2
    - filter:
        count: 2
        match:
author	Philippe Antoine <pantoine@oisf.net>
	Wed, 10 Jul 2024 20:52:48 +0000 (22:52 +0200)
committer	Philippe Antoine <pantoine@oisf.net>
	Mon, 15 Jul 2024 13:54:41 +0000 (15:54 +0200)
tests/ssh-banner-lt7/test.rules	[new file with mode: 0644]	patch \| blob
tests/ssh-banner-lt7/test.yaml	[new file with mode: 0644]	patch \| blob
tests/ssh-banner-only/test.rules		patch \| blob \| blame \| history
tests/ssh-banner-only/test.yaml		patch \| blob \| blame \| history